bel) WW ect tre 
Phasoetees 
oiled ok 
ail teat aad 
iisded vidal aby 


hy Ba gregh 4" 
ieee a 
by 


dcaghavad 
a gigi betel 


ipoisagaaaais 
Buss bch sip 
sia eaielies 
trata et 

ev aE 


peste gat Talia, li is ane 
erence AS a ees : fs 
Nae sights el dat te eoseaianel 
4 : i piv hie "i es 
saa elpbok seu Sataisanes i Y pba 
Lea “a eh i ‘ 
, Fort ‘ 4 rip Of 
j aed gal eere teed 


by 


rll 


Meh phatall de dey 
ipned oealad 
i Hid cag ibtl tell aw 
spe gehe pita) 
shite dy 


NOT TO BE TAKEN FROM THIS ROOM 


ba: 
co gib Wes 
i 
aaa 


E bed siben's 
NE 34 
ead 

naa 


ef 
a 


act hy as PY iss Rita rele ee 1a 
SN atau Ne ay Ny “ish ay 
i Sa Rebs 


iit 

\ tet 
eA Wn Abe OTN 
cy yagi (se 


Bp 
Ue ee 
ey 


i 
i 


Ay. fh 


Tees 
i yon 
ie 


1 
CV of 
veo Ap oye 


A CL ‘ 
RAEI ahd it Af ‘ 
\ nieeenvak 
Wa a 
Ford ah Aires SRN AST Sie 
Wats 


NR 
ASH 
Pen ven at elke Hen SRE 
STR GLE Pi arate cy wad 
¢ WERE Y Hl ‘ anh A rt Niataes! 
ier = se agen gua 
i t bia SRY 


F i aie 
f Ny, APM rs Aalst 
is BAR meatal wt es ReckaNN TANS 
PARENT Ra aahk i ean sgntyuee at te 
y ADVAN eee Wig : ‘ 3 
Nees yesige RSE DS vs ‘i 
Pea ea Scala tha RSM ST aReueee 
SRS ; r Canabaten 
ie pee SACRA te 


it 
“ik 
9 


Vy t 
Hodis Bs ELL Iea anon THE 
pice TT 

qebin 4) 

Csi ea aca 

i) f ty ! 
rene tal Be MOL Nahe yaa we MR 
‘ RASA NACE geteehe i ; 
ey \ Hr RA 4 i 
Y : butt 


yay rats 
‘ page 


ant é 
Ree RCE RUA 


Tete 
‘ 
SWAP AMEE 
A A) AHERN HN 
Wasa LTT WAS 


NRHN Nu 


Gx ipnis 
UNINTASTTATS 
HABERTAEASIS 


1 Pra 
a Foie 
nh ere 


THE UNIVERSITY OF ALBERTA 


RELEASE FORM 


Name of Author: EDWARD SACHARUK 


Thesis Title: SECURE PERSONAL COMMUNICATIONS 


AND AUTHENTICATION 


Degree; MASTER OF SCIENCE 


Year Granted: 1982 


Permission is hereby granted to the UNIVERSITY OF 
ALBERTA LIBRARY to reproduce single copies of this 
thesis and to lend or sell such copies for private, 


scholarly, or scientific purposes only. 


The author reserves other publication rights, and 
neither the thesis nor extenSive extracts from it may 
be printed or otherwise reproduced without the 


author's permission. 


ae stv 
anesind 46. 0-t) ah 
ria tsaradso 


ae Pee ae 7 ay Bila vot Bp diaae Gov sail er, hes AeeareF 


oo 


THE UNIVERSITY OF ALBERTA 


SECURE PERSONAL COMMUNICATIONS AND AUTHENTICATION 


by 
(C) EDWARD SACHARUK 
a 
A THESIS 


SUBMITTED TO THE FACULTY OF GRADUATE STUDIES AND RESEARCH 
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE 


OFs MASTER OF = SGLENCE 


DEPARTMENT OF COMPUTING SCIENCE 


EDMONTON ALBERTA CANADA 


- 


SPRING 1982 


Digitized by the Internet Archive 
in 2024 with funding trom 
University of Alberta Library 


https://archive.org/details/Sacharuk1982 


THE UNIVERSITY OF ALBERTA 


FACULTY OF GRADUATE STUDIES AND RESEARCH 


The undersigned certify that they have read, and 
recommend to the Faculty of Graduate Studies and Research, 
for acceptance, a thesis entitled "SECURE PERSONAL 
COMMUNICATIONS AND AUTHENTICATION", submitted by Edward 
Sacharuk in partial fulfillment of the requirements for the 


degree of Master of Science. 


ase S| Poy ol? 


ae 


=) ©e, 0 


: 
| 
= 

3 


so 84 
- > 
‘wile 


6s “a6 * 


a ee 


Abstract 


An inexpensive and portable secure communications and 
authentication network might find some application but to 
date the designs proposed have been expensive and severely 
restricted in their locatability. Proposed networks, 
implementing either private- or public-key cryptosystems, 
require a large securely located central computer for key 
generation, initiation of communications channels, and 
authentication. 

This thesis examines the problem of designing a secure 
network that uses only small computers for the 
communications devices and the central mechanism. It is 
shown that such a network can be constructed if a public-key 
cryptosystem is implemented with keypair generation 
distributed to the communications devices themselves. 
Besides reducing the workload of the central computer, 
distributed keypair generation is shown to have the 
side-effect that a protocol can be designed that makes it 
very difficult for an intruder to undetectably use a lost or 
stolen secret key. 

The thesis also examines the feasibility of implementing 
a public-key cryptosystem, in its entirety, on 
microcomputers. It is shown that one public-key algorithm, 
the RSA cryptosystem, has potential for such application but 
that in a straightforward implementation encryption speed 


and keypair generation speed will be too slow for a useful 


lv 


Pages tide Are ao) 
pee tows 10 “sain 9 vena nem 
wr sae eet tees yianwome. seal 6 

bas \Slortetle PASE thes mms is opie? 1 iat ‘glans 
oebeet 


@wicse) 4 ocineseas To pat tar grt aye sleste oldt 
acid ras Piel Ager ty lone yisg naaw 208) aie of 

at 2? cits ate pent ek a3. Bis, ear iesO, 80a) )Gage | 
qea-ahiida £121 Shier hed, g-vies Wide at by Ape saat 
stb deim apa iy ruohetioetqat @b mpregee 
eden OA ribiehotivanan wt of Bendis 
;2eiuQee> tetrad ado 25. teclwtew 3M pal sete? cof 

sa} sys os huble epialsetenee ingyed Oesedl 

fa -PAier TOAt pasg inet Bios: iocoteeg & fads 238 

¥o Seale neu vide yee29bne ms Teh 220k GE 199 efunsshed, 
eyed Jet oee 

ol sents te’ pe mca arty a oats pana? est 


Bri ecacionad Belkes 
eee ones 


a i aes 


network to be constructed. A method for increasing these 
Speeds is presented that involves the use of a new algorithm 
for finding the remainder of a division; the improved 
performance is shown to be sufficient to make practical the 
construction of a microprocessor-based secure communications 
and authentication network suitable for interpersonal 


applications. 


ne 
a 
“isase shiqn i so 


— 
800 iveation 
’ 


Acknowledgements 


Theses are not written in a vacuum. This one is to a 
large degree a byproduct of the help given me in many ways 
by my fellow students and the faculty of the Department of 
Computing Science during the past three years. It has been 
a wonderful and exciting three years. Thank you. 

This thesis would not have been conceived without a 
particularly fruitful discussion with Tony Olekshy in the 
summer of 1980. It would not have reached its present form 
without the many helpful, and always correct, criticisms and 


Suggestions by my Supervisor, Professor Wayne Jackson. 


vi 


Dedication 


Hwee Kin: no words 


Jan: no numbers 


Vo 


: iy ih if aka rr iil 


eter Chit: ORT AS* 


H 


Table of Contents 


Piecoduetion 1 
Chapter One - A Cryptography Primer @ 
le VeLnteoduceion 7 
1.2 Basics 10 
Pose DES 14 
1.4 Public-Key Cryptography 16 
1.5 The RSA Cryptosystem 20 
1.6 Electronic Signatures with the RSA Cryptosystem 24 


Chapter Two - An Improved Secure Communications Network 26 


2.1 Antroduction 26 
2.2 Some Secure Communications Network Concepts 28 
2.3 Historical Perspective 30 


Daa AUSecuresCommunicacions and Authentication Network 37 


229, 1 AGUTravial@Publieskey SCD Sy 

Z2a2.2 Ane lmproveds KDG rand ProtocoL 2 

2.4.3 Further Considerations 46 

22 OeappLtcauLons 50 
2.6 Summary and Conclusions 3) | 
Chapter Three - RSACRYPT: An Implementation a6 
Se HeErOduUCeLON oS 
G.2 The) Program 54 


Saad 


aI myadgeezos yaar Oa He 
os rovawe. tips) 422 ae? 89-0 
of 


dep legvoszer> AWD os Adis vv ogee ti hplaoee a! 


oF, (sere: sipteesiduarad.1u5k4 Belvatgai iA Set Tr 


= 
o. ae foctophes gat 1.8 

ut herd rt Lee ee a 
Sa argyle toga ¢.2 ae 


; ct Wye paiakats adiud Sag Gao ijobabhnet steed «4.5 2a 
; oe yei- ot! [cosy Lerggyt A t .8.% 
iaeeeosd nk Dou EevelanT ah 216.8? 
Apt anit is ng rads Baas € 
| ent ives! iaae 0482 
ha iin mei) as Ss amas sik 


- 1 Sewer 8 earl - essay 
neve | owe» 
cn 


7 


ero DIEGIcuULures 58 


3.3.1 Quasi-Random Number Generation 58 
3.3.2 Prime Number Generation 60 
3.4 Analysis of Results 63 
3.4.1 RSACRYPT Results 63 
3.4.2 Michelman's Results 66 
3.4.3 Projected Encryption Speed on the MC68000 67 


3.4.4 Projected Key Generation Speed on the MC68000 68 


3.4.5 Projected Rates With Improved Algorithms 70 

3.4.6 Projected Network Rates iB 

S22 Conc Vusions 72 
Chapter Four - Towards Faster Modular Exponentiation 73 
a introduction 8 
4,2 The Modular Exponentiation Problem 74 
4.3 Approaches that are Infeasible In Practice 76 
4.4 Approaches that Improve Timing 83 


4.4.1 Multiplication using the Karatsuba Algorithm 83 


4.4.2 The Preconditioned Fast Remainder Algorithm 87 


4.5 Conclusion 95 
Summary and Conclusions 98 
References 100 
Appendix 1 - An Example of DES 104 


Px 


L? *, 
) 
. 
e 


iJeranes Teemu" 
- = 7 


1972 Per PR =. eet 


bl all 
7 cy ghar 
i <A — ’ 7 nse fh 
s _ — — _”* ol 
: 
ay Se eee 
i ono en tt ~~ ae 


mebraa= 


- = 


fuga 


- 
>] 1 
: 1 
~ s «4 
{ 
ve ‘4 
. ~ 


3 
_s edt sel sea ¢ 


List of Figures 


Private-Key SCN's 

The Proposed KDC 
Operation of RSACRYPT 
The e-table 

The s-tables 
Encryption with DES 


Decryption with DES 


Evsteoretables 


Time to Factor n 

Encryption Speed of RSACRYPT 
Key Generation Time of RSACRYPT 
Michelman's Results 


Projected Encryption Speeds on the MC68000 


X1 


Zs 


64 


65 


66 


67 


co : 
7h | 
rr mie 
aa 
ey 
im 
; 
ait 
Pr 
*s rt 
7 te 


civ 
oer 9 
* ig 
rn 


ae a ? 
wgia a 
4c 
i) 
Zz 
7 “ww 
Pre 
oan 


List of Algorithms 


ms 
mhote 
collapse 


pfra 


Mast 


oS 
oe) 
94 
94 


Introduction 


Efforts have been made throughout history to build a 
secure communications network, but only recently has it 
become possible to build a network that is inexpensive and 
portable as well as secure. Further, it is now possible to 
provide network users with convenient and unforgeable means 
of message authentication or ‘electronic signatures'. An 
inexpensive secure communications and authentication 
network, if constructed, would have numerous applications. 

This thesis examines the problem of designing a secure 
personal communications and authentication network that 
implements a 'public-key' cryptosystem on microcomputers in 
software. Individual microcomputers would be linked 
together as a network having at its center a central trusted 
mechanism or 'key distribution center' implemented in 
software on a small computer or microcomputer. Since the 
rates of encipherment, decipherment, and message signing are 
expected to be low using small computers the network will be 
useful only for persona] communications and authentication 
and not in areas involving the rapid transfer of large 
Quantities of information. 

The problem of designing a secure microprocessor-based 
network is approached on four levels in Chapters One to 


Four, summarized as follows: 


7 


- @ a “+ Te - eh 
_ * Daud i UzTOSE ; we ms i a 
= ’ 7 a 
6 - : —_ ] 
2 7a q : 
Pp = 7 : 
¢ Saad? A2OWIOe 424 bi 4 ? ew 
~~) Ss é Of---Bu a. ¥ a i a e > 0D ist 
7 ee 7 
gidsep:e oy Bae Ypaihevco: Ast eieeg t Ov IR. s 


] - > 
229654 VSR IVE, ON 2k wIthitiwoas ee Ies SV Faregege 
. 7 ; 


} od : 
' ( nay a” P eee a hey gts Ga f ada 3! e Ten ‘ 
‘ 4 
ty % a ) ‘ p> i pas 4 Sd, = ' ~~ or 
: , ' i 4 
; 7 + Li 


: 4 7 : | 
ra ae £ <s7 - =a om vine ww Ias 2 pe tedsoper 


74" ' at ie 70 O"OC TS r i. Vea” 5 a Ages 
, ATS ere. a ss 
— @é ) 7 : . 
aw a) - : se Ly a —. Tt’ cell! ee 9 ey d acbis if - o .% aw? 7 
' ® 


p. 
be) Peas Lori f¢ LOE =i LG 4 Area ¥ 4 ve a2 TASH Ee } Ia s PS . J 


. +, ® a a 
ob! Hige<sn ad? csatios | ” is i. wal. oe oF Be. 
roti hsqsyisvn Bre Anyi taaiowny 


o / 


4 
: soagi-to s2anei2 oze 
; - oe ae J 


Chapter One. To attain the desired goals it is first 
necesSary to understand something about cryptography in 
general and public-key cryptosystems (there is more than 
one) in particular. This knowledge will aid in deciding 
which public-key algorithm to implement, an important 
consideration since public-key algorithms are not all of 
equivalent quality. 

Chapter One is a review of cryptography in which 
particular emphasis is placed on DES (the 'Data Encryption 
Standard'), a conventional cryptosystem, and on the Rivest- 
Shamir-Adleman (RSA) public-key cryptosystem. We believe 
these two algorithms to be the highest-quality 
representatives of their classes; both find application in 


the software designed. 


Chapter Two. Designing a secure communications network 
involves more than simply implementing an algorithm on 
computers: a network must be designed also, and this 
requires the design of a central mechanism for 
authentication, key distribution, and initiation of 
communications channels, as well as a protocol for its use. 
These considerations, among others, are studied in Chapter 
Two; a key distribution center and a protocol are designed 
that in some ways appear to be novel and which make an 
inexpensive secure network possible. The designs involve 
distributing the keypair generation process to the network 


nodes, which is done for three reasons: 


: ore a 
v rs 


Wand ea notre! lr 


ae 2 


~~ 


\enels cline Le 
> 


ae 


(1) Distribution of keypair generation allows keys to be 
changed more frequently than in a network with 


centralized generation, making cryptanalysis harder. 


(2) The central mechanism can be simplified thereby making 
Dee MOLemeriUctwontnv mm ALSO;meitewid | bebeas@e rere 
implement a simple central mechanism on a small 


CcOonpucer. 


(3) Detection of security breaches is more rapid than in 
previous designs, a consideration that is of particular 


importance in preventing the forgery of signatures. 


The design of an inexpensive secure communications 
network is interesting from a purely theoretical standpoint, 
but there is also a practical side. This chapter concludes 
with a list of some possible applications of the proposed 


design. 


Chapter Three. This chapter is a discussion of an 
implementation of the RSA cryptosystem that we constructed 
at the University of Alberta, the difficulties faced and 
overcome in implementation, and an analysis of the results 
obtained by running the program. 

One important difficulty that was faced arises from the 
requisite complexity of the program: all public-key 
cryptosystems are complex so there are problems in 
implementing one on a large computer, let alone a 


microcomputer. An implementation must be trustworthy: the 


wy, 4 ee - r 7 * + 
- 7 . : 7 _ oe ; ; 7 i 7 ¥ ar ~~ ' - : 7 - 
7 $ We 4 ' if : 4 


a : : 


a ae . 


padi pros As fay mitieitoen ta 


y 


4 


, n 
“pa sihetle ce a at auek Speen, mw a 
/ ~~ eS poe forded sites e.3 ten amt 
| a) ) He “¢ 


a a 
| ) _ 
Gg atl: Dives. Avra ean oeaes Yidweee be. woisjeted «| one 


sedevloreg.t. «. “Ale peli ae sets @ Jeap ised! eual venga 
ee u7edes4 ne ata 1 Pee ees ok oh eae? regal a 


° od sea AOR bP bbe at sph: hebeun he te ayton ot 


antoatingy® Pos! 1ORG0Es Wo iG risa Barb oheeedni 7 ’ 34 
eutekvets sgigsir Stat yenaes, £6) seh § valet \eagda 
Seaeye eg nes  * tothe: faee 3 \oW] Seek ty seeh a ssi 


i 
; 7 _ * 
“fiséte its Lencse ioe, 2% t4igeds SINK |. ReAT oe p 


a 
ietoys Tiny **. Abs oniniiere 425 off YO 261 


bee banat sefztiatttlyreds ers ah Dh 1 scebvide, or. 
anaes vs she ee achievers ran oi 
aseenten 7a! higrh'z orl dtnas “ft | 
ni Sapcharhh » rae? soy? bake 


7 pee 
: , : yy 
st i? 


sa 


user must have confidence in his software and it should work 
correctlysevery stimes Further; some difficulltzesvoccur 
because of the necessity of generating large quasi-random 
numbers and prime numbers. Despite the requirement of 
trustworthiness and the difficulties to be overcome we show 
that with appropriate Structuring the software can be 
implemented relatively easily. 

It is also shown in Chapter Three that with a simple 
"trick' it 1S possible to generate keypairs 5 times faster 
than by using a Straightforward approach, and that it is 
reasonable for the RSA cryptosystem to be implemented in 
software on a powerful microcomputer such as the MC68000. 
Keypairs will be generated rapidly enough, using the 
MC68000, to implement the network designed in Chapter Two 
and encryption speed will be fast enough to satisfy a better 
than average typist. 

Although the software described implements the RSA 
cryptosystem, which may be found to be insecure or 
superceded by better, faster, algorithms, our program should 
be of some help in implementing another public-key 
algorithm; the design principles and much of the software 


will be easily adapted to construction of future software. 


Chapter Four. Since public-key algorithms encipher 
information slowly, the major difficulty with a software 
solution to the proposed network is the expected low 


throughput on communications channels if microcomputers are 


te Weir elie ee fe) Nai) Ny de> Laide | 
7 ~~ Ae 
enemetc brie d, VAD, | ihe 53 4 Piel if ad Yo 


“Wa . - 
pers 13 sk lise: i a 


we 


used. Each of the known public-key cryptosystems require 
that a time-consuming computation be repeatedly done to 
encipher or decipher information. The RSA algorithm uses a 
technique called the 'finite exponential' or 'modular 
exponentiation' to encrypt messages; the best algorithm 
known for modular exponentiation (the method of repeated 
squaring and multiplication) has a time complexity of O(n°) 
if the standard algorithms for multiplication and division 
are used. =i 

Chapter Four is a discussion of approaches taken towards 
computing the finite exponential as quickly as possible in 
practice, with the goal of enabling network users to 
encipher information at typing speed, using a high-quality 
cryptographic key, on a microcomputer. It is shown that it 
is possible to carry out modular exponentiation almost three 
times faster in practice than with use of the standard 
algorithms. Part of this gain in speed is achieved through 
the use of an algorithm for finding the remainder of a 


Givisvon that 16, as farvas we know, original. 


: The standard algorithms are the ones commonly used for 
manual multiplication and division. They are detailed 
iiealgomuspomse:M!, and esD by Knuth (297 

z Throughout the thesis we use 'n' in two different ways: 

PHet hes O-Nnotvatuon yedSaiieo (nd),  tOmindacates theme bine 

complexity of algorithms, and as the modulus used in the 

RSA public-key cryptosystem. The usage will be clear 

Eromstnes contexts. 


: * 
Py) Fa * 
a ae 
a 
} I in > ‘ 32 od? 3s 
- ; aa 
bey, cee 
- - aul Pa of i ; 
| } ‘74 2 in] - 
ay toate ods ‘ ’ 
ve 1 
~ a ; 
ati paydargt hs ipderayty ye he page! | i {2 
‘ § 
Pus » << i< epee 
19: 400) Oa 24 of i ages tj te 9G 
i ; =, 
2 : } 
: ef 
t teow (foukide optt Adah 
eck Oe ae jae i. ie) ae" 
sae i th 
r ; 7 P aay is > 
[eve Ve *hiere 2 ys 1 -~ f4 ss Aas 4 
Le its an) ... euy 


= & ea 


aa Pith 


aie 


7 Te) Ss 7 hag Oaal? eet 
cal pad ee ble Wha cae 
me! 2 pose vir" sities ad vere 
i Na _ 
a”) ) 


Chapter Four also includes a description of a parallel 
algorithm for multiplication that can be easily implemented 
in hardware, to provide a very large rate of encryption. 

Despite the relatively low encryption speeds that are 
possible in software, even with improved algorithms, it will 
be seen in this thesis that it -is not entirely’ correct to 
say: 

"A AEC component of such a public-key system 
implementation ... iSs a hardware device for rapid 
modular exponentiation."[51] 
In fact, an entire spectrum of networks implementing the RSA 
cryptosystem can be built, with varying rates of operation 
depending on whether microprocessors, minicomputers, 
mainframes, or special hardware devices are used. Each type 
of implementation may find application, depending upon the 


requirements of network users and their resources. 


hard gia 
vA 
Py ds ey 
q's © 


may 


wk ‘ 


abal ide 


i 
» = 


“*0 \& 
xX 


end 


"2 iubom © 


: ry) 7 
14 «739 


ys 
” 


- 


Chapter One 


A Cryptography Primer 


1.1 Introduction 


Cryptography is a collection of methods for concealing 
information. A Jogical channel[40] is created whenever two 
Or more parties, Separated in time or space or both, 
communicate by enciphering data using a cryptosystem. 
Parties that communicate using a cryptosystem can have a 
secure conversation but not a secret one, since a third 
party can determine that a conversation is taking place but 
not the contents of the message.' Depending on the method 
used (the cryptosystem) and its means of implementation the 
rate of communication between parties may be large or small; 
that is, the logical channel may be fast or slow. 

Since modern communications traffic requires large 
amounts of confidential information to be handled daily, the 
utility of a cryptosystem is partly measured in terms of the 
channel capacity, which is the maximum amount of information 
that can be enciphered and transmitted in a unit of time on 


a particular logical channel. Research continues for fast 


; Secure information traffic, since it is detectable, is 
SUbJeEGtesatonmirarnic. ahalySiS which™ 1s) discussed) by 
Chaum[6]. Secret information traffic requires the use 
of steganography[26] to conceal the existence of private 
communications channels. 


gitaerdos +0 | 

ows -svenedw beaesag af Pavers feign «a. . obits ad 

(360 sh seoage evant? at Seoevreges er “7 
ata tao tyy7e @, Halen sich qasyaqgiart yom aos 

4.svad nas wedeysersqizc 4 folie sies7cenes teed ; f is 

Sid: @sonte . si paren « 200 Ged. eo. 

gad ‘soeio o7the zl errs rm CD orm oiasoe a6. Eee : 

bonsan qt nw onibabia’* ee io QINwSASS oe 
eu cre heya regis Legis je 8 dae ai. Gne ce ahs alesis ou 

Gilowe me apxdt|ae Gem evi tie nase ow Si sepeagemeby to s18t 

wala 1 3204ésd-yam-teqvente Lushgui, atid oF i-5 

spre siriuges vetsets ahbsd aes ydaine asa yee) 220484 = - 

od? eh Yeh Bei6oed ofc) mgidemre? p- [Al shabitdvoe te 

gis lo sarced n\ Seruaesd gion ai onigdaneedve @ be qill 

fotsamzotni te scuvito uti Reet sts ai dbbtw <i segeo 

fio, wets Jo dines al Rasdyeitess bie bevedgioee ad nap, 


enh tot eeundoncs deiseden .loanéde taoigst ~eliot sea 


means of carrying out encryption[24,51] as well as for 
cryptosystems that are highly (possibly even provably) 
secure, 

The ideals of large channel capacity and high 
cryptosecurity seem to be somewhat incompatible, however. 
The conventional, symmetric[46] or private-key cryptosystems 
(systems in which both communicating parties use the same 
cryptographic key) can be implemented to have large channel 
Capacities, but recently doubts have been raised about the 
long-term cryptosecurity of the best of these, DES. Some of 
the new asymmetric[46] or public-key cryptosystems (systems 
in which the communicating parties use inverse keys to 
_encipher and decipher information) seem to have mathematical 
reasons for believing them secure but they encipher 


information relatively slowly.' 


: The wide disparity between the channel capacities of 
private- and public-key implementations has been noted 
in the literature: 


ee Cr implementations of DES, and at least one 
software implementation, operate at 10% to 10’ bits 
per second (bps) (Williams and Hindin[50]). 


2. The RSA public-key algorithm has been implemented in 
software on a large computer to encipher at 
approximately 500 bps (Michelman[36]) and a 5000 bps 
hardware version may eventually be constructed 
(Denning[9]). 


Simmons[46] has observed that public-key algorithms 
encipher at rates not greater than Cti/2 where C is the 
encryption speed of private-key implementations. 


,asveword ,2) )) Faqmaeal. sediveaoa ed G2 eo 
: 7 7 
é M - ‘ 4 7 a 
: wAD."S ale) so (oe LAGI ote 240 
ge i. 
sucm «At ) £6) 9a BPrtoa»inumies<qyaa do.dw @ 
=) fa 
P _ 7 / ee 
Lerigin aors: 4 gs begnsoatgnt sa age (qed séclQezpe 
U v i . i 
; Jade 339 iss) gyeqd° 2 IGS .Vve Fe ru eeit 
: 
n> , ig S658290 34 26. ¥gi50> nity @ 
he Wes Gshes' ; 18 de lol sears 
' a9 - ' _ eo 
dyad ABA OL Sey sabi the esi teotaytaos eds.Ao 
: —_ rt - ora ey : 
- ¢ 7 } ar > ee | 
i Vit 62758 » iverd aa, Jive 
4 ae it. vit pole | STi 35 ores Oe | , ‘9s. ou ie? 2a 
} * } Mu hua é it g iL! 
rh 7a » ok = rs 
vibe ke YO @ROHCR Shot 
ae 
n 
* / 7 
: . Oe =| jae t i SS 435 fay +f : 
a La i@ag *as ipa 6" MIS ASN S 
: - 
> 
: ? - 
- _ 7 
a ee ee ee 


f ‘] 7 Pa. 7 hi 4 
P “ re senor, Gms fi . ¢ ae 
; : a ra ected 
- 7 7 _ - 7 ey ~*~ 
 Seiosesign! cad S0p 2 ios! «yes 
- , ‘ae q 


ae Te a vga 
‘eh.WGe s Sue 11 Bs, coe" 


+ 


- + i «, 0 


Despite the small channel capacities possible with 
public-key algorithms, however, they have some advantages. 
One of the two inverse keys (the public key) can be 
transmitted openly over an insecure channel, to be used for 
encipherment of messages to the key owner; the owner 
deciphers using his secret key. The use of inverse keys 
allows unforgeable electronic signatures to be easily 
implemented. 

Kahn[26] and other researchers[7,31] have 
comprehensively surveyed private-key cryptosystems and their 
evolution. Extensive treatments of the theory[15,21,27,45] 
and implementation[32] of private-key systems has been 
published, as well as proposals for standardization[38]. 
Much discussion of public-key cryptography has been 
published since their conception by Merkle in the late 
1970's, including surveys[8,12,17,22,23,31,46], theory and 
presentations of new systems[34,35,42], a discussion of 
implementation[36], and a discussion of some directions that 
could be taken in the future in designing improved 
public-key algorithms[18]. The merits of DES and public-key 
systems have been argued by their proponents[48]. 

The remainder of this chapter briefly reviews the state 
of knowledge in cryptography with particular emphasis placed 
on concepts and algorithms referred to throughout the 


thesis. 


cay as 2 
A : ie : 
ie we > M 


eo) aCe atte 2 aleatdis: 

—/. .eee ot : 

oa pao apt ath x : da) byat eersrnt OME 

vet Shaw st on La ‘aa A ae ees yee 
Mews ett State da. oS angeezes to: 

io @@@d seoret Jo weusen? Te sone eld cooled @ 

ghiges oi oF le SineNIaele sideao Aur ee 


atari £16. Hasetesosinn séf2¢c Bea LORit 
viet? Soa eqsee'eo%qyas iat-erav cay Rayeries yplevi ders: 
TRO TE. 9.4 beaned si) Rp shone Ry aetemeaaa cnt 
esd aaa neste, Tea og eth ig 16 EP leolsetnsesiqull 
ikMO nes e820: esate ‘cai Blr= Ages) 24 ‘chine 28 .. 
ata, as: Yager iA > -dnighed. Jo) andy 
Sat ary aa olerdn yt oe eg BiG. ahaha betes Cate 
bite) ya0artg hab ite. P60.) bist. lege alen sda a. 
1a soigauseih. < ‘Tee. Gp eh -tethez sen Jy anbsges 
ae sail agate Snot to q@Regeoed ¢ fee beednons 
“Rpheateas @rt8 Fe8b wares ae af nedoa odd 
anes chee 3s ibis at 14) Tame ree be 
| egsea od seupe vbw amas! 
ead yee ailfe 3s TebAd anys oe 
lesen xenaeaevatco at ae 


Diaitsisogls Sees 


1.2 Basics 


Perhaps the simplest private-key cryptosystem is the 
Caesar cipher, attributed to Julius Caesar. In this system 
the alphabet is written twice, in two rows, the second row 
below and shifted with respect to the first. To encrypt a 
message, characters in the message are looked up in the 
first row and the corresponding characters in the second row 
are written out. The Caesar cipher is the simplest shift 
cipher. 

The shift cipher is the basis of polyalphabetic ciphers 
that, in essence, use a different shift for each character 
of a message. These have led to the one-time pad, a 
provably unbreakable cryptosystem that requires the use of 
an encryption key as long as the message to be encrypted; 
although the one-time pad is an unconditionally secure 
cryptosystem, its use is computationally infeasible for most 
applications[12]. 

Polyalphabetic ciphers are members of a broader class of 
cryptosystems known as substitution ciphers that replace 
symbols in the plaintext message with other symbols, with no 
changenin orders |Ciphers thatido permutes the) orderjof 
symbols are called transposition ciphers. 

Product ciphers are combinations of substitution and 
transposition ciphers such that if S is a substitution 
cipher with C, < S(M) where M is the message to be 


encrypted, and if T is a transposition cipher such that 


; _ 
cur . 
"7 
— } mr ¢ 42° “1 ¢ 7Gu3 {i “at +> ab é r - - 
“ i - .” “4% as : 
F< oe 
magays endt ol .tBee®) aGilet oo Des we 
’ : p> 
a : ens 71: 602 7° .,.Oot* ’ 
4 7 of) o¢ jJosger ice Lis 
om i Sun ' 3 ' 29% 
; : - a°e@>* 
Bt. .seng: a) 3 
= i Si 7 
iia 14083749 &'929)5 
é ' Par. 
y 
* i? | } ; ¢ f j ro) siaddgdeen 
‘ ot eo yet 
=e Oe) ee Oe ee ae ba sits. “fh 
, ( - 
: =f 
Z i T' = ir \ : \ aay @2- 
i > 186407¢ s 26 Suh 419 iis oisetia 
4 
2Gdiqe2 251 . ie ea neocd ames 
. tee » § :) 7) * a? rif on q . { alin ad . 
1 oar 6 € tt 7 [= 139 ida @ = ery } 4444 903 ee 
; 
to pala eiiy stumiteg 5) sar! 24 mgt: <a0b1 
~ iL 7 
» > &@ e de LS 7 ot 5 ac! o- nanan meas ou 
, ee b ae _ 7 : 
>» Be # sib one save pt ee yin whe: areas : 
7 iy -) Doe hae 3 2 7 | 7 
- - wa AY - ; 
oa herd iP -taibs A202 ane Bis. 
; : — - 
_ 


C, « T(M) then P, the product cipher of S and T, is defined 
by 

C,; « P(M) = S(T(M)) = T(S(M)) 
where C,, C2, and C, are ciphertext. Product ciphers 
generally involve numerous cycles of substitution and 
transposition. 

All cryptosystems require at least one key to control 
the encryption process. For all cryptosystems it is true 
that: 

Cheah (Mik) 

Mee9D(C 7K) 
where C and M are the ciphertext and plaintext respectively, 
E and D are the encryption and decryption functions 
respectively, and K, and K, are the encryption and 
decryption keys, respectively. 

In private-key systems K, and K, are the same and 
control the substitutions, transpositions, or both, that 
take place during encryption or decryption. Both the sender 
and receiver must therefore have access to the same key, 
which may be transmitted from one to the other by private 
courier, for example. The functions E and D are not the 
Same, but act as inverses in that a message block that is 
encrypted using either function and a particular key is 
restored to its original state when decrypted using the 


other function and the same key. 


Lo eB 
’ ‘ do 
e ‘ -~ oy + ' rn 
: =a ‘ (2osQ¥, = 284 IQyI one ems 
» a 
= * Yer: 
. - be 
. 
7 be 
Fee 
; 6 
' ! ] 
af f 
e Val y » : 3 Ute Ore 
* 
1} i Io 3 5179 
da Sesveyisie af? ‘as 2 seq) ere et 
; a=) & = Sie : au 4 
_ 
7 a | i oe) m 3 
f ) 
® 
é 
sand aed >. 4c oy Ary. 7w iz 
160992 S47 A208 OLigt tase. 3 ros Grits 
“Ne? 26s 677 oO. S554 4 ; "@> datim 2 
i | - 
1ei* | : isu 3 5) 9SA3 ; 14/1 62 eis sa 
t - 
} ns : S MAB SH: fe 4122Gxe 
bl t 
yc Jets e301 | af ity 1607 Of 2202769NS ae 368 
« ° 


Si YSa 16.0545 964 | i ola Tu} tee Me gnime Bed 
ad tegadas sivas ae stage Lee. gers est 
3 
ws 2 in alias nes tom 
u 
7 


- : 
iy 


_ 


On the other hand, in public-key cryptosystems E and D 
are precisely equivalent but the keys are different, acting 
as inverses of each other. One of the keys can be revealed 
with no loss of security but with the possibility that the 
key owner may receive unwanted messages from unknown 
parties. 

Shannon[45] laid the foundation for mathematical 
analysis of cryptography, particularly private-key 
cryptography, by introducing the concepts of confusion and 
diffusion. Confusion is an easily quantifiable concept that 
is provided by all substitution ciphers to varying degrees. 
Diffusion is less easily quantified since it deals with 
disguising the statistical characteristics (statistics) 
possessed by all spoken languages; statistics are related in 
a complex way to the redundancy inherent in spoken languages 
and a precise measure of redundancy is difficult to 
formulate. Statistical information can be obtained from 
analysis of the frequency of occurrence of single letters or 
groups of letters (digram, trigram, and n-gram statistics). 
Transposition ciphers attempt to conceal statistics by 
diffusing them into a featureless ‘background noise’. 

Cryptanalysis involves the use of n-gram statistics or 
other side information to decipher a cryptogram without 
knowledge of the key used. Side information can come from 
sources other than statistical analysis. For example, 
probable word analysis involves searching for expected words 


in a cryptogram; a corporate cryptogram might be expected to 


vF _ 
Ghana GS a 
a 
, : _ 
Pt) 4 = oa! Ie 
6 ° 
beléeves sd cao evs" dirt ono o 
_ = 
. oh « a4 > a a @4' 
F ys iy aera! aii" é { \ wy azol ‘ ws 
1 8 1 2 n ce7n ~> @ViS09 2 x 
=i 
_ e - rr» 
} i , a rte» ae 4 * d 4 4 
; at MoS a 4 : 4 > 2 35 
folewin on ett obe “ueasini <4 
3 oi i? S3NeVvo.¥ +) Ate Lyle. 
lys 4 ¥ { =" - : > \ 
& 7). sachs saa hinaamy Ni dane jane 
ig [+ 
i = : : 3 , i= 
b * 
Si | 7 S. Gadeu t (2¢ , a FOGG | 3 
: j ‘ : - ey mid 7 
rom cy io 2 3nh : a , tle 
fei > 
+e Eh 0 t pe Pay / VU Sms » ‘ct Poee ery « 20 U9 
: 7 | ia § : 
id j Ts. a = g 
| Baie Eten rok St = «~<OTeeun 
: soi ola! 2 ines ngs: ant to aie 
$eitase eee ben [men “\B/ caine lo aquerp 


4 of * 5 “ A Z = £45 rt , a : 4 eb. 5 4 *} Le a r 7%, ~~ tap 
é iD..9 PrSsuk 9 row qens 


¢ 
cis inilond ' SA 3,Q07U0UIS56- 6 piri | a ed y bau 
7 : e i aioe, 


4 a 


3 ie7672 migsp-n te. qgu.st2 aeviaya! Sr a) 
. s ‘ 7 a 


ara 6 iY. 1 EMO) 3« ae 5 2 *Sfigiuah o : Pe teaar ety} aie 2 . 
rie ¢ 


A 
FS 44. q 
Po 


cy beak acatieadl ot oat Te 
7 
toi hia sete an: vee 


USEmtheawordselprotuowsands lossietor@instance. 

The best source of side information is the plaintext 
message itself. The strongest possible attack against a 
Ccryptosystem, known as the chosen plaintext attack, occurs 
when a cryptanalyst can encrypt a message of his choosing. 
Weaker methods of attack are the known plaintext attack (in 
which the cryptanalyst is given a quantity of ciphertext and 
its corresponding plaintext) and the ciphertext only attack. 
These attacks are used for the testing of private-key 
systems, with public-key cryptosystems depending on 
mathematical reasoning to show them secure. Regardless of 
the attack used the quantity of enciphered messages is 
important; modern cryptosystems cannot be cryptanalysed with 
only a small amount of plaintext and ciphertext. 

‘All cryptosystems can be characterized as either block 
or stream ciphers. Stream ciphers encipher characters 
individually as they are passed into the implementation 
whereas block ciphers encrypt entire blocks of characters at 
a time, causing each bit in the enciphered block to be 
interrelated with all other bits. Modern private-key block 
Ciphers work with blocks of 4, 8, or 16 characters, while 
public-key systems generally use variable-length blocks 
whose length depends upon the key length, also a variable. 
Notice that stream ciphers are degenerate versions of block 


Ciphers. 


13 


: q 


i a avy 
“aitore* gene 
“i - 
i. 2. so7To# 
vm «id 
otK 
i 
1 O24: ‘““S5NS obs 28). og 
» ~ i « {+ > d=see44e 3 ota ; 
4 ‘ iY . S15 ADE Jo ow ’ 
‘ ) Cm ae | gavl: 2 
: ia oa, & \oeeintaly. paibaca 
= ones 7 eau e768 & 
yp pe a, — ~*~ f a 7 > 
Sh ante > 2 . oP Mane ; OF 
a & ~~ = = oie M 
~ ‘J - 3 > 
ater on?, io : Ty “ait Be 
« ~- 
4 a ) ’ t ~ 
. +7 ; +% &s Thee 15a : i 26 Bey hi: a) 4 
dA , x ] 4-4 
a 
* SiS BAS AaRS w od ae i, 
' 7 ' 
; ony Te 5 ris 
’ if 4 = : ae Pe 5 * os ZT a6 ' 
‘ <7 iW f 1 ( 1° Ss a) ° ; iG Gee oni 
; 
a ee Bee io his Adis 
( ~ i ] P ) 
af mn. | ‘a | g i” EG 7 atop F ad , 
P : ® oa ; ae - 
noid. Hepne@l ’sigelwmer eee oe eb) hadi ‘ - 
a , 


ae 82 x a P 


oe cenfteh a86 ont 


Te waneGss | 


+e 


Finally, it is possible to use feedback to combine the 


encrypted output with the input in some fashion (usually the 


"exclusive or'). Feedback is called block chaining when 
used in conjunction with a block cipher and causes an 
encrypted block to be related to all previously encrypted 
blocks as well as the key. More than one cycle of chaining 
of the blocks of a message creates a complex 


interrelationship among all bits in a cryptogram. 


lise DES 


Recognizing the need for an industry standard for 
cryptography, the American National Bureau of Standards 
(NBS) conducted a competition among private companies to 
arrive at such a standard. IBM, apparently in consultation 
with the National Security Agency, won the competition with 
a Gerivative of a block cipher called Lucifer (developed by 
Tuchman) that used a key of 128 bits on blocks of 16 
characters. Lucifer's derivative was tested by the NBS, 
found satisfactory, and promulgated as DES. DES uses a 
56-bit key that is artificially expanded to be 64 bits in 
length before use for encryption; it is a block, product, 
private-key cipher. 

For an implementation to be advertised as conforming to 
the standard the NBS requires that it be in hardware, 
presumably for testing purposes. Since DES uses some 


tables, the s-tables and e-table, for non-linear 


bitorcooe 520inl dO nd tiiulad 40.50 al 
gébiteds to sicys angihets 40 yer at on 2hewedl 

Ag igmon 6 4205819 eyoua <i> AS 
marposgaa Ab ests Ue grins qitenekiate 


303 paaSaare diate fe, A. aes odd oni tingonet, ie 


—_ 


: 
a7) 


abvagens? bao) atid tsielc ut sepitens a7 .oipesee 

ws aeivecynd 3 afevity cong ocd #Sanbee @ seccuheos | cap 
ecizetiassec oi (Piawwece. Jt . coebvere & dooe se.eele 
(iie ne vebaenn pio i rea, OS a4 ies PR oinoi tals “dt 
yd hege (408) aeticks | of fee-cade ie Weald-s te aedceels 


ray aide: @ioofu oo ered GA! Je Gipe@ beady: sete tm 


a SEF, SO2' ¢t O924b2 2aW Svatevi ses P~tinwe s@tads 

Rene @80 (2h? gh Ge¥srleoneg Hee  .toroste) 168! 
, Nb 052d #00 2 Sedma vilelo. sages 2: tocr eee aaa 
Pwmbewy, sels ¢ 42 2 Aare saw AS? aii 2 robe iia 


: > kmeatey? sana id 
- - : 
Adee Lo me eink satacatie eres i a0 
a sqreuined wd sa aqoneleng 24 wit CAB 


i : 
mem eal . raid grisea; 193 ge 


WT 


wider 


‘ : ait . 


substitution (in which a group of bits in a message is 
replaced by fewer, or more, bits) the tables are 
unmodifiable in a standard implementation. 

Largely through the efforts of Hellman of Stanford 
University, a controversy has arisen surrounding DES calling 
into question its ability to adequately safeguard 
information, particularly in the long term. At least three 


areas in which DES may be suspect have been noted: 


(1) The Short Key. Hellman feels that it is possible to 
build a $20,000,000 parallel computer, using available 
technology, that would allow its owner to cryptanalyse 
DES-enciphered messages quickly. Consequently, he 
believes that the NBS should have stayed with the 


128-bit key used in Lucifer. 


(2) The Tables. It is conceivable that a 'trapdoor' was 
built into the fixed tables to allow the NSA to easily 
decipher encrypted data without knowledge of the key 
used. The principles underlying the construction of 


the tables have never been revealed by IBM. 


(3) The Testing. Although DES was attacked for many 
man-hours by the NBS the weaker known-plaintext attack 


was used. 


(For further information consult Lempel[31] and Sugarman[48] 


who discuss the DES controversy fully.) 


Jd aon oe Pe — os od Sal 
» toads. oe $oGe) Sedece of) 204 wis ve 
7 - : 7 « 


- 


a a a hs 


ta edge ps ae nee 


ings 7 


=) i 


) Bet Fieenec hoe se “— es 


RE S722 ey 29 3 
hana : 


ian 
a 


7 


’ 


16 


In spite of its possible flaws, DES is the best publicly 
available private-key cryptosystem. Appendix 1 provides a 
brief example of the operation of a simplified version of 
DES that may aid in understanding the algorithm, at least on 
an intuitive level. The example is derived from 


explanations by Lempel[31] and Hindin[24]. 


1.4 Public-Key Cryptography 


Public-key cryptography is founded upon the use of 
outstandingly difficult mathematical problems, which are 
inverted in some sense and used as bases for cryptosystems. 
Whether the cryptosystems themselves are as difficult to 
solve as their underlying base problems is still unclear in 
most cases', but there are reasons for believing that at 
least one of the algorithms (the RSA system) has the same 
complexity as its base problem. 

The paradigm for public-key cryptography can be 
expressed as 

Ceeeu(M Ke) 
M< F(C,K,) 
where M is the plaintext, C is the ciphertext, K, is the 


encryption key and K, is the decryption key. The paradigm 


' For example, Lempel[31] outlines a public-key 
cryptosystem that is based on an NP-complete problem, 
yet is relatively easy to cryptanalyse. 


Cn 


‘ oi a : 
‘ PwEearevseo 1 | 
»-< 
- > 
‘* aa } ~ =@ 4 q 
q = = 
7 
io Gael ; 
4 Lore — 
oy ee 7 
1 3¢aul ra . ml 2itSOLe sit pcibas)eaebck oi Bs 
fi 
‘ : . ‘ —_— ‘ a) 
SFigss-el Sipuaxs. ¢ pa 2 di 
® 
: poe @ ° . rv a | rT i al 
belies Pm ovis ~~ = ‘ ’ 6 62 She. eS 
a : a ; 
v 
att 7 a | 
~ * ~ re ? a | 
; sé * i ‘ AGS dl Nl dk t 5 ’ 
‘ > 1 
: S253 t ey. 3a 2424 2¢ 
@ 
i 4 ry . 4 
Vi 
‘ 
j 2 
. ri FOF, CEPA 54 i ry 
Cd , } 
' Ps G ATROuF ‘ & < 4 gis 
- 4 lin ri i; 
4c 1. 25 ‘ e+ my me a 7 ag — 
} ( 
{ ' 
st e235 3 
PvE | » ~ a = Sale e/ : ¢ =") + 
° 7 4 Big .¢ i { 
S 
of 0 
( ify Age 1% = 
. 
y 
- 
r 
Pp, | 7) | 
- s ’ 
4 
7 2 


, 
Atenktdic of2 aR 


; Sik 2 hcl 
ayy 
an a 


_— 


7 a 


ed B al 
rom od 
iy pispvs + 


requires the use of two difficult problems for its 
realization. To show why this is so, we define a one-way 


function and a trapdoor one-way function: 


(1) A function £ is said to be one-way if it is invertible 
anGeGCaSYeCOnCOMDULE, mOULE TOL, almoStuallexattels 
computationally infeasible to solve y=f(x) for x, given 
y. That is, f is a one-way function if its inverse is 


very difficult to compute. 


(2) It is sometimes possible to arrange that the inverse of 
a one-way function is easy to compute given some 
additional information. In this case there is a 
trapdoor between f and its inverse and f is a trapdoor 


one-way function. 


From these definitions it can be seen that K, and K, in 
the public-key paradigm must be related by a trapdoor 
one-way function so that it is difficult to compute one from 
the other. Additionally, knowledge of F and either M or C 
without the corresponding key must be insufficient to 
compute C or M, respectively. 

The literature describes six public-key schemes, with 
some reference made to unpublished proprietary schemes. The 
Rivest-Shamir-Adleman (RSA) cryptosystem, seemingly the best 
of the six, is discussed later in this chapter. The other 
five public-key cryptosystems are briefly summarized below, 


with emphasis on their flaws: 


- ° : 
vVaersano s 9 
LJ 
% 
rs Ti a2 
eNO > 4 22 Toi Tay Yewnene a ; 
mo aig’ ai, Ade jeasath! Lancet gibbe 
i . 7 ie = Par.) 
J 
b i 7 ’ 
_ ¢ H % Y| 
i : : a re Vee fi 3 4 be) aS ae) hel oP’ 
STS 8 Yd STEPS BG) Seu MP Rag Pea >i lee 
[ a 4 
it 810 B2uGmes 62 VoOPlI ee ai si sats cera tzsend 
i f 
2 204M Sats #0 eps lion. el Laroigipsa are 
ad Ui ’ 
of “‘traeloiiivad® ad sam ee 5 ‘S42 ? 
: Sones. Gn 24 "5 - 
’ j) 
eliw:, eenhaiit® gdansi Sue «ra ane stoma ing uterorit a j 
rn 7 - 


anentaitas 126 bis: sit tila aj mina eons ete | 


seeiteosan? (42m) fiemm BA 24 


pai od 2° 14%e! 
maar oan 


se 


reuhire gltelia 14 of neyags - 


7 
: 


ie 7 - — a 
va Shane pees views or eas 
vos — : 


(1) 


(2) 


18 


Merkle Cryptosystem. This algorithm (devised by 
Merkle[34]) requires the 'enpuzzlement' of n puzzles, 
each of which requires O(n) time to solve, by the 
transmitter of a message. The receiver solves one of 
the puzzles and sends its number and solution. The 
transmitter knows the solutions to his own puzzles and 
SO is able to use the one solved by the receiver to 
derive a key for encryption of a message. An 
eavesdropper must do O(n?) work to decipher the message 
because he must MBE cree n/2 puzzles, on average. 

The Merkle cryptosystem is unuseable because it 
requires only that a cryptanalyst do O(n?) work while 
fhe transmitter do O(n) which is too low a ratio of 
work factors. Hellman[22] states that it might be used 
in the future with fiberoptic technology, but this 
seems doubtful. He also points out that the method is 
the "Simplest and least likely to yield to 


cryptanalysis". 


Diffie-Hellman Cryptosystem. This scheme employs the 
use of the 'discrete exponential’ (i.e., modular 
exponentiation) for key exchange. It seems an 
excellent method but according to Hellman[22] it "needs 
study". Signatures don't seem possible because each 
user has the same key after the exchange of some 
numbers; that is, the method reduces to a sort of 


private-key method. 


: ) Yh Rae tual 


be . 4 r 3O% 
, 
4 te 
4 | 
i] 
a i 
bs eVrciesoen 8 Peer ve 231 )0pn1 
4 4 4 5 j -_- 
s) i. ay ® - 7 
, . ,* oa a Tomy iz m2 is 
hase Ay ; =) oe . — ein 
: “12 }o.. 78 16d te geet [ls daa ce $3047302 
' 
% J - 4 u 
2 7 oo rh 4 id oe jr ‘eet? oye 
2 O08 L@GF 3402 Je0 (220798 ,-0OSis $A LJ IFOUHH Segas 
= , ” ' 7 
A AF 4 >," 
+= 92 Slaly-o¢ whose. : i 240 ,Q922". ad? 
7 
if Seolews’ sesdoa 33 


aheen” 92. £59) 
*5 2 


tie Loi a4 ba 
ied hat 


) : ahs re 


Aaa a: 


an 


2) 


(4) 


(ae) 


1 


Merkle-Hellman Cryptosystem. ‘Trapdoor Knapsacks' form 

the basis of this cryptosystem devised by Merkle and 

Hellman[35]. Lempel[31] notes two flaws: 

- Simple digital signatures seem impossible. 

- Although the general knapsack problem is NP-complete, 
there is no proof that the trapdoor knapsack problem 


is also NP-complete.' 


Graham-Shamir Cryptosystem. This algorithm has not yet 
been published and the only available account (by 
Lempel[31]) is sketchy. It involves a variation on the 
Merkle-Hellman trapdoor knapsack concept. At least one 
very large table seems to be required per user and 
Signatures seem as difficult to implement as in the 


Merkle-Hellman method. 


McEliece Cryptosystem. This Oe ah ast is based on the 
‘general decoding problem for error-detecting 
codes'[31] which has been shown to be NP-complete. 

That is, it uses algebraic coding theory and 'scrambled 
Goppa error-detecting codes'[22] to define keys. At 
present no easily implemented signature scheme is 
possible[31] and a large space requirement, 500 


kilobits, is needed for a ‘generator matrix'[22]. 


Problems lying in the class called NP are believed to 
have time complexities that are mot expressible as a 
polynomial, if implemented on a deterministic computer. 


19 


- co _ -_ = 
a ‘it ae 
le aaa aaa an, o Tene UF 
“gaGt ‘sdrmecavd soabqe tal? (HATOD: awa fe “Ql 4 
: . : OP va) : 
‘ 7 _ “4 iD Ha) 1 ee _ at 
Sits sidtem yd Soakvar cigvte ald? O92 


maceve: 
- in 7 
* iawath ows eee (iijlwygeni fee] 
vont a ia" ae, 
an + 

; ‘ a . 7 

' eget eldugeg aseaiqehy (ex: ty doyed ala } 
: : wu 
} ities? os uta Jopay on 2f, saedgz’ 
® 7 


cow safe at 

2 oe 

‘ , rH : : - -™ he ~~ wt _—— | s 

= sion ste Sirdt “iayws) “\ eernlé-neriersd (* 
: - ii 

7 


* 


‘ } ‘ > » S ae. eitdun  b 
1 sed 
- i _ ' 
a sai tf £) i equst 


$3eM 


FEEHTMA cote! Aehils 
= ~freertea £.7% 2 tae 4 ) / 
4) ) 2 ua) eee Sie 
— “+ a ; < 
7 
“san hele ise >e 
i 
’ 
-« a Sra . « 
. whe wrgaiy * at ye ba A J Poe 
| e 
ry F 
: . i> > 7 ee Lr] ) Laz ’ 
; © 
ré - 4 Aa , wade ne | isike y@t'e 
i] 
Fa "a g 4 o | 
we aul S” Of6 SHOT | Dir Lest >! ,at g4 
iA -~% bi bite 'ais : | - 
ee 19 397 {asd 296 19feo- To t38 see 


ci Beineusiqn: ybiass on saeegrg’ 
At a: _ ‘ i : iF 
Q0€  2reieslupes) Goege 9518. @ baw Ci tleid iggeg 
¢ > : : yy Piss 
p” ¢ sot Babee at wnigants 
eal 


Iv 
s 
as 
44 
a ts 
ita) 
9 | 
if 
= 
tw 
= 
? 


> 


ot 46y 
aor 


1.5 The RSA Cryptosystem 


The RSA cryptosystem is distinguished from the other 
public-key algorithms in two important ways. First, only 
the RSA method has an easily-implemented message-dependent 
Signature facility. Although on the surface all public-key 
cryptosystems seem to be equivalent, in practice the other 
public-key systems do not permit the consecutive use of two 
different keys on the same message, which must be possible 
to sign messages without special measures being needed (Such 
as authenticating messages by sending them to a central 
computer, for example). 

Second, and more important, the RSA method has withstood 
concerted attack for some time. Simmons and Norris[47] had 
a possible attack on the system refuted by Rivest[41]. 
Lempel[31] cites an unpublished proof by Rabin that places 
the RSA method ina "safe position as long as factorization 
remains hard". Factorization has not been proved hard 
however, so it would be unwise to place complete trust in 
the system until a proof is found. Cabay[5] has observed 
that some probabilistic attacks presently under development 
may eventually allow rapid factorization in many cases, 
thereby permitting the easy solution of some cryptograms. 
By then it may be hoped that another good cryptosystem will 


be found. 


20 


pa 70 i7e | e, 
aris 4 
44 ‘ 
_ 
i S a4 
. tf re Wwievitess NG 
> > i” "Life Bho ne vi Cpl cy . 
Hl 
whe On, 252° Yt ,aneles ivy Ss oF Ou Wsoa sal 
ha | 
a 
Ow! AS j “ft Sa 1124 36%).00 erastesye ae o8 idug 


*< 


4! a ' wT , 4te2e04 ae a jooxatth hai 


> c pe * } ; = Zz ot a ep 
= ot i? “2 4 ‘Gea! wi¢ Sects 
J] 
' 
P ¥ 
{ i Me 8, (9? $a as 
' ( 4 
Salad r Ae ‘ oo 4c. 2 en 
> © 
= ; g4 } L a 
. - jn " oa 
}2222 fre: ared Sit eka? wl nhei7¢ 
*- es : 
: ! Anz t 
t 7 ee vu ay Vids, io 5Bo 4 ; 


SOUS <t AP nidek 74 ACh te Satericogny-ng 2eels (Vt 
: a aay 


ry fe Ms ~ de. 2S WI. a fieetd 20c 3762 ai Sodsen A 


7 ; d 
Ad Save.g, ias0 701) aac i. G3 sare 3 Ja Jat 
‘ mS : : : 
af, 2aya® /secigne>s e26i4 Gk e2.0c. sd Ghege 1) of>,3 
he 3 Ys 
bavssadea aan (2lysdad | babe 2i sopra Litany wese '" 
; a = i‘ 


: 
smamgolesep tele GeifeegaalSiosll¢ a'3@: tiesdowa mee 
. ’ | 7 a ae ae fox ig | “a: 
\2REe> Yc a) ie: izomdedse: on i eitevtneve 
i 


’ 


| “a aoe iste Pr ac : ois ale 
i rT 5 cone a yt os partes ade i he 
: a - avide iy th hoap ride 
| hl a vie) ene 7 p} 
7 7 
teu Ty —o >. - ; 


Co 


_ 


| - a 


The RSA cryptosystem has been clearly described[42]. 
What follows is a summary. 

RSA keypairs are triples (e,d,n) where the public key is 
the pair (e,n) and the secret key is (d,n). d is a large 
prime number, e is the multiplicative inverse of d, and n is 
the product of two large primes p and q. Therefore, in 
terms of the public-key paradigm the RSA method can be 
expressed as: 

C <« F(M, (e,n)) 

Mi cee (CF (din i) 
Since 'F' in the RSA method is modular exponentiation, 
encryption and decryption can be expressed more precisely 
byse 

C « Mte (mod n) 

M <« Ctd (mod n) 
where (e,d,n) is the receiver's keypair. 

Modular exponentiation provides a trapdoor one-way 
function since it is easy to obtain C from M, using (e,n), 
but the receiver must have the additional information (d,n) 
LO, Obtain M from C. 

As shown eerie public and secret keys in all 
cryptosystems must also be related by a trapdoor one-way 
function. In the RSA algorithm, e and d are multiplicative 


inverses modulo the Euler totient of n. The Euler totient, 


: Throughout the thesis 't' indicates exponentiation. 


Za 


_ 


eh, oy x : 
: ' Esednied: 


‘ ; ¥ * y 4 
ab WG «fo Sina Sesviqrttion es vi | 
7 
7 bi tite = soning sbsel aw? to 2a 
4 : 155780, VeA-Sildug 
; — 
‘es Sosestges 
* a 
‘ <a »* 7 ; 
: i] 
; . uM. 
. 
=) 7 ; i S50) ic 43 a 
2 : » 
.ore Kebbiwe pf net: el Seem netsg 
. " ' = 5 Pa 7 
fs Geyp) ‘som 4) > | 
wm - ¢ } 
Bat) i - 
« 
Lo Oy c 43% ao } HT in. B, —_ 
é j 1 “i 
=) It) ot Gag 2G 4 o's wa, 143 séi' 
n wi 
ie oie pater mei 2 NEGEdS c+ “ee Be 2) state qotage 
' - - 
7 -~ 9 . bd Row 7 7 2 , 2) a - 
} AOSeaens6 * i s85669 i508 !on ova. Gan » Yeviers? 9 i? Je8 
1 , : _ i 
, WA 7237 ¥ ais o 
\ ; ; . ' 7 . 7 7 
- at ' pees ‘An75082 ry e °«: fatwa. 407! Ae 
«9 i : ew g é ew DP | a@ °ée ae: { €or 
. \ tl 
- . . > om 
a ae) fe _ 


“« . An WW ei adh “2 bi oc e@.2: ud ele) 08 Liens 


a 


svite we ny: sinh Sits Rue Hope he ae ee. net 
: , i: 
> ol ' : ; - ' 
; at 1 = + eae cia nr f, ing bose | 
\ a 


on Pre 
a ry Ce - — 
.—_ 7 ~ a nA ° is ao yr 
ei 


: 1S M 7 oF. a 
© Giolagtpisatpyacdeasstims ‘+’ afeeds » 


: io ; - _ 
= atl . 
7 : - . 


22 


t(n), is the quantity of numbers less than n and relatively 
prime to n and in its simplest form is (p-1)x(q-1). Without 
knowledge of t(n) it is an enormously difficult problem to 
obtain d from e because this requires factoring n to obtain 
preandiq.. 

In other words, one of the two trapdoor functions in the 
RSA cryptosystem utilizes the difficulty of inverting the 
computation of modular exponentiation without knowing the 
Seecretmkeyrd,, anda the Other sfunction utilizes therdifficuity 
of inverting the computation of the multiplicative inverse, 
to obtain d, without knowing the factors of n. 

Rivest, Shamir, and Adleman[42] report that the best 
algorithm for factoring n is by Schroeppel (unpublished) 
which takes the times listed in Table 1.1 (duplicated from 
Rivest, et al.[42]). Rivest, et al., recommend that n be 
200 decimal digits, although a smaller n will still be very 
dittrcuttmtaliactorn, 


Computing an RSA keypair is straightforward: 


' 


(1) Obtain 3 quasi-random numbers d', p', and q'. Find the 


primes d,ep, and qe*qreater than or equal tord!’, p" 77 and 


q=-=d=emnust™lte in the range 


; In’ facteecehescommon ifactors®otpep sl and tqateeshould® be 
extracted from t(n); this is easSy to do using the 
Extended Euclid's Algorithm (see Knuth[29]). Extraction 
of common factors reduces the size of e that is derived 
from d using t(n). Reduction of the size of e speeds up 
encryption and is therefore important in practice. 


ar) 7 i 7 
7 sted 6 | Li & 7 : ez - < f 
rm - -_ : 7 
Juans - (f= we aca _ § B22 7 
’ ab 
7 a4 
 uelderg, thupod® abhai aerione pm wio-st 
Pere 
7 aos y sa? a” : 7 saat ol 
tyfde oF o anbrosnel 2sSqug8) Blas seosood = most sh Winds 
i —_ - i 7 = 
‘ us 506 . 
7 wes Pp - 
‘ - | ite’ ‘ ww ¥s $o , 25308 redgo°n ie 
: ’ a | 
sau 7512015 ane ‘gemtlisu anes eo teyto ABA 
: ae 
*omrwons sor ofve ings 3 ian Pr« wt sesuQaot 
. : omen! 
js {isu pie ut wetto ats Soe .) Yee Jetoee 
ee © 
svi fom an 1obgazuaean ety gnigveval io 
* 230) \ drt LWOMTS paonJdiv 
; » i e's ni Y lf } oo F 
j ii al € 337 La J | i rsa ha 275) i 1 + dias i] +2 
% > 6 
iiug haqgesedise va no pa@tsotoe? wot. « 
q > 
r . ay ae »~ Ff. 
(un 6S (TS$)i le ; 
a lean . sat lana s rc (¢ve astoit t 
s re 
B2SBE BI 
io yi¢€ j al 2 fz. i ; Pon ni 
'p ue. .“q), (Soaeadew ee tzep & atesdd 
: : ‘7 
fat q ,"6 of / eure fo oat a4 © Ses .4 o eeu! 3g 


7 
7 


ep" Sj 


i X% 


MP ofeali rave 5. 8 


(2) 


est 


n length ; Number of Operations|Time to Factor n 
(decimal digits) tombactor n (@1 operation/ 
microsecond) 


Ws x1 00° 3. 9ehnOUuUrs 


Om st Once? 104 days 
2301 05 4 74 years 
ee xe ee 3.8x10° years 
dss. xat Oeee 4,.9x10'* years 
he al Oa 4.2x10?° years 


Table 1.1. Time to Factor n 
(from Rivest, Shamir, and Adleman) 


maxip,q} < d < pxq. 


Compute n=pxq. (d,n) is the desired secret key.’ 


Compute (p-1)x(q-1) and extract the common factors of 
p-1 and q-1 to reduce the size of e computed later. 


ThiSeiSathesRulermetotwent .ofmn, eat (n) . 


Compute e from exd = 1 (modulo t(n)) using Euclid's 


evGorT thi. i. 


Although it seems that the RSA method can be broken only 


by factorization there is another point of attack: the 


required quasi-random number generator. If the quasi-random 


numbers generated are insufficiently random then it might be 


More precisely, d need only be relatively prime to (p-1) 
xen — 1) 


'=' indicates congruency throughout the thesis. 
Loeisephemercacte that@ eaxedi= daptmoduloat(n)emeand Gnet 
e x d = 1 (modulo n) that makes it difficult to decipher 
a cryptogram; otherwise the secret key d could be easily 
derived from d = n/e. 


23 


7 @ _ 
ad) 
_ le 
,) Rs 


| y ly ” fo ugF® 7) 
_ 4 - 
' j 3 baat mil = tft. 5 : . 
ie 
, < 9 . - i= ; i s a) SIutyao / ol 
e z ) ’ . , 
a .fo Swe Stikebes 1 ‘J -f. OA — 
na . 4,4 ca ib: a » , : 7 a 


’ mio’ of gal i, act a ean? 


:' , 7 ; ; eae So 
| esd 6d «ao (ban oA ai: dad) anmeed St) dogedelae 
® - . 


: , 
is ‘ = “ a : | ‘ - Pa wy i Py a “fa 
dey S8GR4/5 Dare 5 i Sag: ul Jae Exod: af 


j 
a eo i» 4 =" 
Gun ; -C ISS S32 ay} 
{« c., 
* 4 int f : sreio. 3 
4 
5 
: 


Pte) of omlig ye 


7 
oe 
sity 


: 
Late 


possible, given e, n, the random number generator's mode of 


operation, and a clever cryptanalyst, to somehow compute d. 


1.6 Electronic Signatures with the RSA Cryptosystem 


Electronic message signing is described in detail in 
[8,41]. The central ideas underlying the concept are 
briefly indicated here, with reference to the RSA 
cryptosystem. 

Let S be some function of the message M and, perhaps, 
the keypair-owner's name and other desired information.' For 
the owner A to send a signed message to B he computes 

CS <sStd, (modin; ) 
where CS is the encrypted signature and (d,,n,) is A's 
secret key. 

Let M+CS be the message concatenated with the encrypted 
Signature and (e,,n,) be B's publicly available key. A 
sends B the cryptogram 


C <« (M+CS)te, (mod nz). 


: The "function of the message M" referred to can be 
either the entire message or, if desired, a hash 
function of M, h(M), which allows a "compressed 
Signature'[8]. It must be remembered that more than one 
message will hash to the same signature so that, with a 
knowledge of the hash function, an unscrupulous user of 
the cryptosystem could make it appear that a second user 
signed a document that the second user did not sign. 
Throughout this thesis it is assumed that the entire 
message M is included in the signature. 


24 


| " +t _ oy as 
. A 
[ _— ais 


5” 


a! .? ae 41s 
ee) ae os SEES knarauss sevece 6 s a 
\ 
) 7 : ‘a5 a Dd 
i oe 


a 2’ 13 “Pe | sa edt dxt iw 24zmasano: g nas 00 sh 


‘iL 
ay 


ai < Sai bea tigesh 6: pelopra escresh Sr Ata 


$i6 Iqesns> S49 oncylieba Bes? icyines ont 


e J ; Je rSiet wti« ssan & 
f 
t 
; beefed (ale 
Nhe 5 f src ; : , wa aiiwo- 14 ayss i 
vu yee . 7 
2 a Pra Sar | oARradg infa of A seawd any 
| ' = ' i] = 
( ; 
2 4 
u3 
q 
¢. ~ a © /, | 
é ‘ J as ' i “i oka oC [ 444 Ps - Es Pe, o1 


Ms - \ ar , i & , SA2IBs6 - ‘ : a= 1 14 : 2" > sed 


ay H fofidiad >" oe imag siutee 


2D 


Receiver B obtains M+CS by computing 
MiCSe oa Ci ca MOGEn ae 
Since CS will still be unreadable and M readable, the two 
parts can easily be separated. 
B can obtain S for verification by computing: 
S <« CSte, (mod n,) 
That is, B obtains the message-dependent signature by using 
A's public key. It is easy to check whether S is a function 
of M; if so, then only A could have formulated CS since only 


he has the correct secret key. 


a5 7 aad .<¢ “T ” 
sidehoeT Mik aaceoes 
aw a Pj , 4 7 be ; 


> “ -% 345 ee 
ae Ais +ltane hed aid see 
. i Fo Ore Rage » 
r s¢ a) a ,- | wal g 
a : sy 
‘yoddasliisay col 2 dtesdo mem a 
vat acon ad NApPaess ties : : o 


a 


PD 


a 
. _ a ab ‘eT 
: “ae 
> ir oo 


Chapter Two 


An Improved Secure Communications Network 


2 sient roductron 


In this chapter we design a secure public-key 
communications and authentication network. Our design has 
three advantages over existing public-key designs by Needham 


and Schroeder[39], Denning[9], and Michelman[36]: 


(1) The entire network, including the central mechanism or 
directory, can be implemented on small computers, 


making it inexpensive and portable. 


(2) The network has built-in safeguards to provide a 
measure of protection against cryptanalysis or theft of 
a user's secret key. Even with a stolen secret key it 
is difficult for an intruder to sign messages, or 


otherwise actively use the key, without detection. 


(3) Network security breaches are detected more rapidly 


than in previous designs. 


The advantages claimed are realized by distributing the 
key generation function to the network nodes (thereby 
decreasing the workload of the central mechanism) and by 


including a history buffer at the central mechanism. 


26 


ver i] 
; 
2) Ca i ji 4 nf 


or 


mes MIO ow. 


ae. 


One of the defects of the proposed network is slow 
Operation. The time to initiate logical channels will be 
relatively large because double encryption of some messages 
is required and channel capacities will be small because a 
public-key system must be used. It is shown in Chapter 
Three that operation will be fast enough for some 
applications if the RSA cryptosystem is implemented. 
Before developing the proposed network in Section 2.4 we 
first review some secure network concepts in Section 2.2 
Ghatewil 1 taidein® chevdiscussicnmtonftollowse Sectionw2e3 is a 
Summary of the state of the art, as we know it, in secure 
communications network design, where we define some of the 
problems*®inherent to existing networks. "Section 225 
outlines some applications for the proposed secure 
communications network. Since the network can be 
implemented at low cost using only software and existing 
(inexpensive) hardware, numerous applications are evident. 
This chapter is partly intended to help dissipate the 
misconception that: 
"In a public-key cryptosystem, it is necessary 
Cnivetoreatrentralvcontrollersto distributesa 
private key to each user of the system."(51] 

We shall show that it is reasonable that the controller 


never distribute private keys at all. 


_ —* ial : 
a ¢ o 
% ? = 
nett 2 i ‘\ 
42999 
vi 
yes > 
7 7 
S ohiadidtAi 2 AS L23 Je ’ aila(7eo é 
: a. | 
We). nepeve teil? Posse, deh) yar 
a > Oven Se m4 
4 ic hie ~ ppapkey: brdgas ( ; 
7 . 


< Fie) i 


rh 
_ 


28 
2.2 Some Secure Communications Network Concepts 


A secure communications device (SCD) is an apparatus 
that allows individuals to communicate more securely than by 
common carrier alone. SCD's form the nodes in any secure 
communications network (SCN), which must have a central 
trusted mechanism which is either a central facility (cF)[9] 
for generation and distribution of user keys, or a key 
distribution center (KDC)[40] for key distribution alone. 
Since it is generally undesirable that user keys (even 
public keys) be transmitted openly, any CF or KDC must 
periodically generate its own key or keypair to encipher 
user keys before transmission. SCN'S use cryptography to 
create secure logical channels superimposed on physical 
channels (the common carrier); information can travel on a 
logical channel at a rate not exceeding the channel 
Capacity. 

The requirement for a central trusted mechanism arises 
from the need for authentication or the unambiguous 
identification of network users. There are two types of 


autnentreagion. 121: 


(1) In user authentication, network users identify 
themselves to each other to establish communications. 
User authentication can be either indirect (in which 
the fact that a user possesses a key or keypair is used 


as evidence of his legitimacy) or direct (in which 


- 
7 


7 . ew ; 

" - % | 
: ere 43 eo 

7 _ P ‘ ; a” 7 - 

be S19 SISSIND yO. 02 CicubpY ion i“ uae a r 

7 

; : : . oe! oy 

; “ 

; ' 5 of ers b i" 


. _ 
‘en nie 
: : a 7 


i i 7 ’ 
aebowge > « be 
v7 ~ i oa t fi a 7 a 4 H ; row 
i q j 
J : eo 2 1 
2 ‘ iy 
. 4 . ‘ 
i : i ' 
5 Ay Guy 
ae 
: " Peele ies ' 


a Be f “iit? 2 oo rw i4 
i, 7 e 
i 
o~ need ~ yay 
— : =. 
J i ’ ‘ ua*y 4 é - be 
' ' ) ? 
: ana 
, ; pei “au! 


See oe, 
. yasr ‘ic CUTE RETIN 2% | t orgns pes wat 
od a - 


ee “< * art ot ms { af vig, 78? Be es wy 
a . 


2 ‘ 


users are identified by personal characteristics’ such 
as their voices on telephone lines, their fingerprints, 


or their handwritten signatures). ' 


(2) In message authentication, network users exchange 
electronmessignatunes: Lomprovide futures proor mtolan 


auvenority, Of@theirvacceptance of terms stated unta 


document. 


Since there are no convenient and foolproof methods of 
providing direct user authentication electronically, direct 
authentication is used only when a user joins an SCN; at 
that time an individual furnishes side information that 
proves his identity, such as a driver's license.’ 

If the authentication mechanism of a network fails for 
some reason, a network user may repudiate his signature on a 
document or his presence on the network at a particular 
Dine=ewrurthermore),” ifmamnetwornk user cans show that ‘an 


intruder (or unauthorized party) can penetrate the network 


The necessity for user authentication has been noted by 
Simmons[46] who relates a protocol devised by Rivest, 
Shamir, and Adleman for playing ‘mental poker'. The 
Ppl Cataoneeof theme protocol, is\iithathmipensomsy haying 
cryptographic keyS can communicate securely without 
knowledge of each other's identities. Secure 
communications without user authentication is 
unacceptable for most applications. 


y Side information is also required to join other networks 
Such as credit networks, with means of future indirect 
authentication (a credit card) being given to the person 
joining the network. 


a5) 


* er fe 
23a 


~~ 
« 


& 
a 
—_ 


30 


under some combination of circumstances, then repudiation 
becomes possible. The best safeguard against repudiation is 
complete network security. 

An intruder may try to gain access to an SCN to obtain 
information or to alter signed documents and may be active 
or passive[13]. A passive intruder eavesdrops on 
conversations and obtains information through cryptanalysis, 
whereaS an active intruder imitates authorized users or 
undetectably alters cryptograms. The active intruder 
therefore requires a legitimate user's key which may be 
obtained through cryptanalysis or theft. Key theft can 
occur at the central mechanism or at a physically insecure 
Seb, 

The necessity for a central mechanism leads to a key 
distribution problem: keys must be recorded, transmitted 
upon request to users wishing to communicate, and replaced 
in records when they become obsolete. Public-key 
cryptosystems were designed to alleviate the key 
distribution problem and simplify the establishment of a 
secure network. 

The central mechanism in a public-key SCN must be 
extremely reliable for two reasons. First, the safety of 
the public key scheme depends particularly on the selection 
Of the copnectepub lic #keyatorkenc hypt ion #Alsopethe 
maintenance of the directory of public keys is critical 
because in any SCN design a user's public key will be 


changed from time to time and this must be done correctly. 


_ —o ws 
a Pre iV 7% #10 Py 2 oN Boe i > 


sta 
4 


Yai ity sO Oe aoe yur nese 
} 
I mite “ | ~e j2¢ mg ae ne 22N2 : 
h “es 7 
7 V 7 s. @ 
& te Uange P Giify ivy BAS waters ae@5 Suds 
- 7 - ‘ie? : _ 
an) a : _ 
herr | Ty “een 
if eat : : ~~ 
we 7 a 
j ty) 4 7 > = iz 
; aoe me (ta mis OT eb oe é peSERG 4 i. 
7 — 7 
, L* : 5) 


: v2.die%, * lest ins 
ma 


Popek and Kline[40] have summarized much of the theory 


Of SCN°design.’"Somevoft theirteonclusions are: 


(1) 


(2) 


Three basic types of SCN are possible, regardless of 
whether the network uses a public-key or private-key 
cryptosystem; these are the fully distributed, 
hierarchical, and centralized SCN's, diagrammed for the 
private-key case in Figure 2.1. (Public-key SCN's are 
not diagrammed because their only difference at this 
bevel lisethatethey provide twoscommunicatuonse paths 
between any pair of nodes whereas private-key networks 
have only one path.) Popek and Kline observe that the 
fully distributed SCN is a variant of the hierarchical 
SCN and that the centralized SCN is a degenerate 
version of the hierarchical SCN. When designing an SCN 
it is therefore necessary only to design a centralized 


SCN. 


Global aac cs a 
oni erigg ston in oye the ake 


Local asl Pa ra [aa B 


Distributed Hierarchical Centralized 


Fully 


Figure 2.1. Private-Key SCN's (¢e=CF, #=SCD) 


Key distribution can be either simple or complex 


depending on the type of SCN. The hierarchical SCN is 


31 


L 


5g. 
‘ 7? 
> 


i 


+ 
bef => 


SS aa 


BZ 


useful for very large networks since each CF need only 
retain a few keys. On the other hand, in the 

fully-distributed SCN, nx(n=1)/2 matching keys must be 
arranged among n CF's, with each CF retaining n-1 keys. 


The sCEPinyayeentralizedesCNemusteretainmnekeys: 


e 


(3) Message authentication is possible in any SCN with an 
appropriately designed central mechanism. Protocols 
for establishing secure channels are outlined by Popek 
and Kline that allow signatures in both public- and 


private-key SCN's. 


(4) The central mechanism should be minimized to make it 
reliable and trustworthy. That is, the fewest possible 
number of persons should have access to the central 
mechanism, its software should be very reliable, and it 
Siouldebetsecurelyelocavedy perhapsmat arcomputer 


center supporting a secure operating system. 


Popek and Kline place little emphasis on public-key SCN 
designs in which key generation is done at the SCN nodes. 
We will show that distributed key generation allows 
minimization of the trusted mechanism, simplification of key 


distribution procedures, and increased SCN security. 


= . 
, aye Ce 2 ; 
noe noes Ajew ~@ 4 
va 
| , e - v ei 1 " F.. 
‘ 
-— 
i‘ 
P Tel feesc aot ‘pep 
Ly 
{ on had , - ‘ the e i 
\ Si at ‘ LAD Wao 
. a 
ty i 28 
Ter ewes) Sic o7 a a 
af ‘ 
é Avo gt Bt > < WOl a 
| at | . 
i <= hg 
= 
7 
pal A | ofa = re* AEs Ae): oa ° 
a j 
- ar ig! Ss yi oan 
ce ao . eh ‘ve ie > 
ps ao) er GL. s 4 
| | PH Iisa \aaaacC8. & aie Giuvoiva-ere 70 Se 
; ‘ 

La : ) nN ; 
he Sod = ae a a> > ie = > ye (ne Brel 
7 ‘ari - “a - oe ? > arti 

< : p we 
- = i et ah he yr 
a = se aa pe oe hi | “a = ° 
ot 
z { \ , ig 7 7 
a 7. : Yr. Sie ox ae - 9 — 
ma a 4 aL > bhete 
’ 
t 
+h 7 


° pe F > 

OX? OF) 4 ig i im anlLfaA one .& 
| vi 217. 74 7 ower , 4 7u =~ 4ohitw hz 
7 a a = all ‘ 


{s & ete 2683 waa rans 
7 ? mo Op La 


2.3 Historical Perspective 


SCN's have been constructed or proposed but no design to 
date has been perfect. Existing designs are flawed by such 
things as their low channel capacities, their expense, their 
requirement for a very special location for the central 
mechanism, and their requirement of special unavailable 
hardware. This section outlines some of the features and 
drawbacks of existing SCN designs. 

Kahn[(26] has fully covered the subject of private-key 
SCN's using mechanical SCD's. The channel capacities of 
SCN's described by Kahn were very small, but the advent of 
solid-state electronics and modern telephone lines has 
permitted the construction of private-key SCN's with large 
ehannel capacifies, using cryptosystems based on the same 
principles as those described by Kahn. For example, chip 
implementations of DES permit inexpensive private-key SCD's 
to be built, leading to the very high-speed electronic 
private-key SCD's and SCN's that are occasionally described 
in Cryptolodia. SklectromicyrundseTransterssystems 
(EFTS)[2,20] are a type of SCN; to date EFTS networks use 
either private-key cryptosystems or no cryptosystem at all. 

Despite their potential for large Channel capacities), 


private-key SCN's are flawed in two ways: 


(1) Increasing computer power and improved cryptanalytical 


techniques may make private-key cryptosystems insecure 


33 


» Fs; 
7 
‘ . " ag : - 7 
. = e 7 - , 
‘ ‘ayn BIER Baise Lez, . /U9bsag a ny = 
* 7 a i | ' : mae _ 
Pa tal oy’ ia ratte 3 y ie Aa . + or 
< {™ ao fl a ty 7 7 a 
VS ek ee ay 
Sol Laiaee@a ¥* 702 


: y c are see 
ate botieise va vioeast 

a | ee ¥ - aed Pas q ; 1 Bs : haa 
fees 


316 Taal Br 2's levterteen oniey eg 
- aw - 


i | 1] * 
f } cq a ’ i 
i ‘ ir 7 é , 
t hoteleyhtad ooh . Caldsacias 
~ . d - 
Mm 7 Se a2 .0 . ead 
od i 


shy: He ssa0% 


= 
- —— 
ee 
4 
J 


) rays t omiGomt orks 
7 Cy a 
; netie!) <¢''92 ae pies qaes 


’ a : : 


r ole ier 7 a | nie * 2 
(say ci ome ‘ 


eae. 
oe 


ws 


me thes neararutures 


(2) The central mechanism must generate keys for use by 
communicating parties. Keys are generated with a key 
stream generator, which 1s a complex program that must 
run continually on a large computer to generate the 
many keys needed by users of the SCN.' The requirement 
for a large computer and the attendant requirement for 
a large staff makes private-key SCN's expensive and 
places constraints on their locatability, since 
locations with a completely trustworthy staff are 


uncommon. 


There are three proposals that we know of for 


implementing public-key SCN's: 


(1) Needham and Schroeder[39] design a public-key SCN in 
which all user keys are generated by a CF. A directory 


of public keys 1S maintained by the CF. 


(2) Denning[9] proposes the conversion of personal 
computers into SCD's by attaching hardware 
encrypt von/decryptionsunits ss SThe| Denning: SCNirequares 


a CF capable of generating hardware keys to be used in 


; Key stream generation involves the generation of an 
ideally non-repeating quasi-random sequence, of bits, 
portions sol which may be extracted and used 42s (keys for 
private-key cryptosystems or as seeds for generation of 
keypairs in public-key systems. 


= 


ire 


» em 


=_=>- 
; ; 
= 


zm (ou i. . ‘ 
> ia 7 
* 7 ve 
or alias br ed iG bf 
i es ) - . 
- Mand, to spetur ed tiohew ayed 7a 
‘ 
a ‘ , 7 7 
hata? 2 12 Die 18s - 92a. & 


a 
™ 
a 
“ 
of 


ts 


oh 
~ 


conjunction with the encryption/decryption units. Key 


distribution is done by a KDC separate from the CF. 


(3) Michelman[36] defines a network requiring the central 
mechanism to generate its own keys but not necessarily 
keys for SCD's. The central mechanism communicates 
with SCN users uSing its secret key to encipher 
messages. SCD keys, and those of the central 


mechanism, are changed only at very specific times. 


There are flaws in each of the public-key SCN's 
enumerated above. One common flaw, of course, is that all 
three SCN's (including Denning's) have small channel 
capacities compared to private-key SCN's. 

Bach system has further flaws. The Needham and 
Schroeder proposal has a bottleneck created by the 
requirement that the CF generate all network keys. 
Centralized key generation for all nodes in a public-key SCN 
requires a relatively large computer to act as CF (with all 
“the attendant cost, location, and personnel considerations) 
for even a small network. Furthermore, the key generation 
program must be a memoryless subsystem[16] that does not 
retain user secret keys after they have been generated and 
dustributed,eaddaing to thesdiifiuculty om CRecertircication. 

Denning's proposal is flawed by a bottleneck as in 
Needham and Schroeder's proposal, as well as two other 


problems: 


oth Ser ereme 


® I oD’ 
i j ‘ . : 
| ' trae 2 « 
anf aR law ih Li m4 
® 4 ~ = Z 
a. es. 
' _ 
 gabajdcade . Spanies: panda ae mages 
j j i] i - iis oa d 


Lees 4 29° Oy The 9 (st besitens 
. ‘20 47 Segre? .. hay 4p 3° Laka dupe 


ee 2A¢ wake 328 ye 


. 5 oy ie sIRSE AN Ree 


—_ 
— 
o 
es") 


(1) Frequent key change is impossible. Because keys are in 
hardware, an SCN user must physically obtain new keys 
from the CF. It may be necessary, however, to change 
keys?votten:@analysis and@duplicationiot microdiremitry 
is technologically feasible, so a user's key could be 


stolen, duplicated, and returned surreptitiously. 


(2) Hardware public-key encryption/decryption units have 
been in development for some time, but are not yet 
available. Whether such units will ever become cheap 


enough to be generally available is debatable. 


Michelman has observed that a flaw with his design is 
that it is slow in the detection and correction of security 
breaches; this flaw 1s common to the other proposals as 
well. Slow correction of breaches leads to extended access 
for an intruder who acquires a user's private key, by theft 
Feoneam SCD or through cryptanalysis, © lf the sSCD"s are 
physically unsecured then it is impossible to guarantee the 


validity of signatures. 


yi 

Lane : 

e ‘ & We 
- © 


a "oper €)08 -.S2¢1€ jh tie mg polonss 7 
: > 7 - a 7 La 
bing ye” = - ‘ a ey ni rou a fa 
4 : lay - - > ,as J£ aif *@ 
. 7 7 7 7 . a 


4 APN Ap “4 ig, Yea sé tdug eaeair 


rT 
Pail tay i ‘ > = ie Tris :. wt ot think 
v7 


r = 


‘ : : _ 15 
ay tMoe Ue i) ous BoC isAw 2 sids thaw 
6 6 1-" 
7 Eee iS Wa yates 1. Og 
j ai = 
i ) F - a 
A Weewinl 2 An) ie 1 Gh fina aon cvety 
, “~~ Tetha Lae ‘ aa | 
“J ‘7 . a 
‘ ~ ms as eb 1s ; vs a 


$099) od 7) 44. OE a A eR ere eee 
: ye eT Ar i ) pw 
A f 4 
; rps cots) Ae + ia t 
e 


3a) 


2.4 A Secure Communications and Authentication Network 


In the following discussion we design a simple 
public-key SCD and an SCN showing resistance to key theft 
and having rapid detection of security breaches. The 
discussion rests on two assumptions, both justified in 


Chapters Three and Four: 


(1) The channel capacity of a public-key SCN can be made 


large enough to be acceptable for some applications. 


(2) It is possible to distribute the function of keypair 
generation to the nodes of a public-key SCN, with 
keypair generation fast enough that users can generate 


one keypair for each conversation. 


224. (RAMTCIVialsPublicsKkey#SeD 


Under these assumptions the design of a public-key SCD 
becomes trivial. The only requirements, besides key 
generation software, are for transmission error recovery 
software, a modem, and a printer to keep permanent records 
of signed documents. Such an SCD is completely useless 
unless it is part of an SCN with a central mechanism, since 
it, isiampossiblewforeuserse#tovauthenticate eachtothers, 

It is possible to give some usefulness to SCD's 
unconnected to a central mechanism by incorporating an 


ordinary telephone into each SCD to provide some measure of 


Hr? ; 
‘ 34 
4 * > eu ¥ * a 6 ’ | , * >i > 
7 4 ) i? ea ee iy he “44 on i‘ d ” 
; . ri: 7 
ye wei see’. 54 Ne ae i 
ee ee ee ee eS 
6 = 
L. ; 
i % ¥ i J is 
5 ‘ + 4 oe 
‘% ¢ : 
{ s 
, < 
a j : 
of ¢ ; ; % iageg 
ATA hr eet 
M is ; ,a oF) ivi ho uer mies 
L oo” ~he 
' 
“A Tyas 
:  o4 * ' 
4 p+ ‘7 got ~~ °) & aA 
oy Pi ) 
i! 
é | in 
> 
aoa i= 
— oe wee 
ad Av ool 1 a Ss 
Mee a 
, 
i j ’ +% 
? @ } 7 4 
- a | bd @ : 
Web OPEL. TARISelie yy 


; a 
Spitz), OSI age | 
: i ww : » 


38 


directs Usermauthentications Although ityislimpossi ble sto 
guarantee the security of communications using SCD's 
connected only by a telephone line and no central mechanism, 
it should be remembered that speech synthesis and 
recognition by computer are difficult, unsolved, 
problems[33] and that mimickry of human voices by humans is” 
GEEriouiite. 

The following protocol illustrates how two SCD users, A 
and B, can initiate a (somewhat) secure logical channel, 
each knowing only the other's voice. The security of their 
communication is entirely dependent on the reliability of 


voice recognition over a telephone line. 


(1) A and B authenticate each other by voice, using the 


telephone. 


(2) "A sends his public key to By Bi sends his public key to 


Fes 


(3) A generates a random number and concatenates this 
number with a short message. The resultant text is 
then encrypted using B's public key and the resulting 
erypucdram 1S transmitted to 8. UsermeBrcarries our the 
Same sequence of actions as A. That is, B generates a 
random number, concatenates it with a short message, 
encrypts the result with A's public key, and sends the 


resulting cryptogram to A. 


wea 4 6. pei ies 
; 


é 
” 
é 
4 ¢ F 
r a 
a 
b ‘i 
; : 4 
~ ‘ne > } 
ew os 
A 
‘ 9 Ji 
Gl iAsges tees 


a. 


) aan om —at 


(4) After A and B have deciphered the cryptograms, the 
resulting plaintext messages are relayed back to the 


Original senders via the telephone voice links. 


(5) elivboth A and B feel confident that they have received 
each other's keys, then they subsequently use these 


keys for enciphering messages. 


(6) As an additional precaution, all messages sent from A 
to B are tagged with the random number generated by B. 
Furthermore, all messages sent from B to A are tagged 


with the random number generated by A. 


2.4.2 An Improved KDC and Protocol 
a. The KDC 


The proposed KDC is diagrammed in Figure 2.2. Some 
memory is required for the history buffer which is divided 
into columns, one column for each network user. Bach column 
can record n user keys, where nm is the maximum number of 
keys allowed any user in a particular period of time; it 
might be decided, for example, that users are permitted 20 
conversations (and therefore keys) in one day. The 
limitation on the history buffer size depends on available 
memory, number of network users, and frequency of network 


use desired by the users. 


39 


soe ael shad a 
Pe i 


vei b as - a7. ~~ Hi vy is a he ¢ 
4° hs Fr oad 
5 ‘ | ! i 4 
pf Li 
S ty 
H ‘ 
: 4 
’ 
par 3) 
’ 7 


> ¢ : ‘ ms nan 8 


aaa 


40 


fefeare]-—— 


+ 


«— Active Keys 
KDCeSecret|< 
Key Old Keys 


(History 
Buffer) 


Figure 2.2. The Proposed KDC (6 Users) 


The KDC software includes software for key generation, 
encryption/decryption, command interpretation and key 
distribution, and transmission error recovery. The software 
asecertirtied([ 104% 

In any SCN design the central mechanism must be able to 
unambiguously identify itself to SCD's. Our KDC identifies 
itself in the same way as in previous SCN deSigns: it 
generates a keypair and encrypts all outgoing messages with 
its secret key. Its public key is available to everyone. 
Let (KDC,P) be the KDC's public key, which may be openly 
published, and let (KDC,S) be the KDC’s secret key, which is 
known only to the KDC. We set no specific time constraint 
on KDC key changes; it may change keypairs as often as 


convenient. 


be. User) Initiatzton 


TO) jOiln our SCN, an individual first identifies himsele 
to a trusted KDC operator (direct user authentication) and 
gives the operator a public key generated at the 
individual's SCD, perhaps written on a piece of paper. The 
operator enters the key at the KDC console and gives the new 
user the KDC public key (or tells him where the KDC key is 
published). The KDC may have simple software to test that 
the key submitted does not match any other user's key in 
memory; the possibility of a match is very remote. The 


user's key is placed on top of his history buffer column. 
c. The Commands 


Bach user has just two commands that he can send to the 


KDC, "REQUEST" and "RELEASE":' 


Cie eREOUBSI = For Y to obtaim X's publicekey, Yemust 


REQUEST it by sending 
Y+F{'REQUEST X',(Y,S)} 


fou cieuhDGe.ws) Yi! “iSwaeplalntext sidentisvernsindicating 
fomenenkDCethespubbicakeyythatmmuse beglooked upeto 


decipher the command; that is, (Y,P). Although anyone 


The notation 'F{M,(Y,S)}' in what follows means: "Using 
the public key cryptosystem implemented, use encryption 
function F to encipher message M using Y's Secret key." 
'+' in what follows means string concatenation. 


4 | 


having Y's public key can decipher the command, no 
Secumityabrveacnmoccunsisat thasthappensseawhat..s 
important is that the KDC knows that only Y could have 


sent the message. 


(2) RELEASE®® BeforesthesKDCecan transmit X'S) public keysto 


Y, X must RELEASE the key by transmitting 
X+F{F{'RELEASE X'+(X,P[new]),(X,S[present])},(KDC,P)} 


to the KDC. The RELEASE command requires that X 
generate a new kéypair to be used for his*next 
conversation; the present key is used for the present 
conversation only. The command requires double 
encryption because only the KDC is to know X's new key 
(hence the use of (KDC,P)) and the KDC must be sure 
that X is the transmitter (hence the use of 


(x,S[present])). 
d. The Protocol 


Two SCD users, A and B, establish a secure logical 


channel using the following protocol: 


(ier AGREOURSIO<s (Bs publicukey trom Che KDC se The KDC 
prints the encrypted and decrypted versions of the 


REQUEST for future proof that the request was made. 


(2) The KDC transmits 


KDC+F{'RELEASE TO A?',(KDC,S)} 


: 7 - 
D a aus 7 » 
- is 32 ’ 
sh + : 
- 
J uy he hal sud ii 
pa € 
| aoe ; ) Paee aad 7 oe 
\ re oH _ ; 
j } ) . : , | ee | 7? y c ae ‘his > iy notes . 
1 a D i ¢ - ie A 
ae ev T9A' :2neeers ot ah Ra eal 
at ; Pa dis che Pi os - 7 
| ‘ : \ i * neers 7) 


mee <8 eee ‘aaa 1 


wo - 


G3)) 


C5) 


43 


to B. Although anyone can decipher the KDC's 
transmission, no security breach is involved. B can be 


certain the transmission originated with the KDC. 


If B decides that communication with A is desirable, he 
generates a new keypair and transmits a RELEASE command 
BOetne KDGT rhe mKDEldecryptsewi the GKDGas jim ipeints the 
result, decrypts again with (B,P[present]), and prints 
the plaintext result. If (B,P[new]) matches any other 
key in Bi stcolumn sof theshistory buffer, stheskDC 


Signals 'SECURITY THREAT! and terminates operation. 


The KDC obtains (B,P[present]) from the top of B's 


column of the history buffer and transmits 
KDE+E{ FOUR stk BY i+ (BYP presen) jy (A;P)Ge apc as 


to A. Double encryption is needed to assure A that the 
KDC transmitted the message and to ensure that only A 
can decipher the message. The KDC places (B,P[new]) on 
top oraB sicolumnvoreche history burter pushing 
(B,P[present]) to the second position, and all other 


old keys down one position. 


Steps (1) to (4) above are repeated with 'A' and 'B' 
interchangedmfior: Betotreceive tA’ sepublictkeys” Asandes 
now have each other's keys and can communicate 


securely. 


: * 
1 
fd 


Os w, a. wy rn 2 


e. Discussion 


The network's security depends on the trust that can be 
placed in the KDC's keypair, which is used to encipher 
numerous small messages; the keypair should therefore be of 
high quality. If desired, time and date stamps can be added 
to messages sent by the KDC for additional Security. 

Although the keys in KDC memory are called 'public' keys 
they are not handed out freely to anyone who wants them, in 
accord with Michelman's dictum that there is no security in 
a network in which keys are given out without restraints. 

Since user keys are changed frequently they may be made 
relatively short and still provide excellent security. The 
printed record of all key changes provides a log that 
pinpoints the time of each conversation or signature and the 
public keys used, thus localizing security breaches. The 
use of ever-changing keys for signatures is a discrete 
analogue to the continuous, very slow, changes in ordinary 
handwritten signatures. 

The Nrstory bubter seused LO protect network users 
against key loss or theft in the following way. Assume that 
a,user leaves his SCD signed on and unguarded for a short 
Eimesand am incruder copies the user’s Secret key from SCD 
memory. If the intruder attempts to use the key at his own 
SCDehe must replace it on top of the history bufter when 
RELEASE'ing it. When the legitimate user attempts to use 


his key, he will find that it is no longer valid because at 


44 


wou 
wie Yte’ 


pay Po = 
i 


matches an old (i.e., pushed-down) key in the buffer; the 
KDC will signal 'SECURITY THREAT' and not allow the 
legitimate ee to communicate. The intruder may attempt to 
cycle wthe historysbutfersto return the key onetop to its 
Original value by having nm conversations with network users; 
however, if n is made large and the time constraint on the 
DimrermiSerOng, wituelS UunLikelyethat the smntruderucanscycle 
the buffer before the legitimate user attempts to use his 
key. 

Of course, an intruder can eavesdrop on one end of a 
conversation with a stolen key; the history buffer only 
prevents active use of a stolen key. Note, however, that 
eavesdropping can only be done for one conversation and that 
a stolen key is of no value in determining the user's next 
secret) key. 

The proposed SCN is vulnerable to the threat of theft 
and replacement; that is, it 1s possible for an intruder to 
copy a user's key, replace it with another in the user's 
SCD's memory, use the stolen key at his own SCD, and replace 
it on top of the history buffer with a key matching the one 
placediunethesdegitimate users) SED.95 Thesonlysdetence 
against this threat’ is that the user either memorize his 
secret key or write it down, Even memorization of part of 
the key should suffice to keep it from being replaced 


midetectably pabUu une \reSpONnSibility is cheguseris. 


45 


awe etek oe 7 . Bs 
yeh ka aA ue rene ia | 
| hid leio wy der lwed. gid pst hte 
ofa. vit wind - Spaaied ee apaet phina ef a ae , vow 
ro a ohh. 4 ‘Salida etal aw wi 33 ant ns 
ke wig * 2 Yteirs seen Santis eve AP asohed tae aa 


oh sqmeits Yad 


gai A) qoo 1 


a4 . SUAIGSvES tie SeGbes-. od: gSOaegD, 70) 


DAs v 
yidias cots WEES 9 Ae else Taree 
? ; 9 ' 
<4 Le) ‘ i i : a yah 
ty) teVy be Wie GP bees Se iReS BOSS 


than 
Goad 
“ey 


. 
ry 


+) BAG -4 vt a A Has 2s aay 
2 i] 


ae 1 abadntset 1! dat y on +. ed deel ne 
. u 5 i< 


err ire? Sake ye) 013» eye Aendqasg ane x 
aT cy © ee ‘agp ap 

Pye ae ia Wet 0: on sigade Gae® a”4een: 
v7 ae Ad See YR "= ged yeeu cen a 

#700 Suhi =) om. C2 oO ORES BeTiue yshtete sia 30 ants 
08 a ‘seen exalt age so ame 
aii= 128 ~ ioe ws hed. 


wee vary 


iia 
sa 


==) I1an Mwad ten | | 
‘ecaigus ig 


2.4.3 Further Considerations 


There are two broad areas in which the proposed SCN 


Could sbemimMproved-: mie Addit1Onal = Security wanda 2) 


Versatility and Dependability. 


a. 


(1) 


Additional Security Measures 


We have shown that it is possible to automatically 
Guardwagainseshort—termeloss: of controlmot sthe SGD. 

It is the user's responsibility, however, to prevent an 
intruder from gaining access to the SCD or its software 
for an extended period. An extended period of intruder 
access may allow the introduction of a Trojan 
Horse[30]; that is, modification of the SCD's software 
and possibly hardware so that information is 
transmitted in the clear or, perhaps, so that weak 
keypairs are generated. There are a number of measures 
that can be taken to guard against the introduction of 
a Trojan Horse, including secure storage of the disk 
and SCD after use, occasional visual verification of 
the source code and recompilation, and perhaps 
construction of software to provide a checksum of both 
the old and new object decks to force an intruder to be 


extremely subtle in introducing modifications. 


There are measures in the broad area of data 


security[10,11,19,44] to aid in safeguarding keys and 


46 


Ad 
_ 7 i 
‘ : bp , 7 : 
tai ni 
Oe 


entaa 


. «Mag 40 pag yo: ; 


rau 
peu omy 


software. Some of these are implementable on a small 
computer; for instance, a strong password scheme could 
be implemented involving the use of a rapidly changing 


Valuessucheasmthes time “of day. 


A precautionary measure entailing some expense involves 
the use of a 'water marked' magnetic card and a 
magnetic card reader/printer. Such a device and card 
would be used to split a secret key into two parts at 
Signoff, with one part left in secondary storage and 
the other on the card. With private-key cryptosystems 
this splitting of a key requires the generation of a 
quasi-random number that is stored on the card and 
subtracted from the key in memory[7]. Public-key 
schemes allow some simplification of this procedure; 
for instance, if the RSA cryptosystem were implemented 
the secret key d could be stored on the card with n 


left in memory. 


Even if the key at each SCD cannot be made perfectly 
secure, an Eh eeu mechanism, called a 
(k,n)-threshold scheme, can be placed on the KDC to 
Guard againswwerorgenrlestmeunssuchta schemetk users must 
cooperate to sign a document. Shamir[43] describes a 
(k,n) scheme requiring the use of passwords. A keane) 
scheme could be easily implemented on the proposed SCN 
by simply requiring k REQUEST's and k RELEASE's before 


authentication could proceed. Individual users might 


os 
eer) ons im cn t sulav 


x a Este 

gaviowit). sang “Vee “hipia did eave visti b: am! 
e tes. Gemma ” ome, ties e 16 re “9 

O12 Si (a eM, eRe in ae Daas oiteanaa! 3 
je ao 1 xp Rae gytond e CLiRg ey beau wg binow 
Gra’ eps’ ' ita age eae Cts + Popmde | 
“aeeiy': cane or! Ae raga ads 


i 
a 


ld nell eyed SMe $9 4 S*) age) 6 oe peistiege shiz 7 
e. al : ‘a ee = ch fi ” = 
is see re Bs UF eet ohoes Leaup i 
; j vig : | J* e yer ‘ - Subs : 2, 4 he tT" tei + i * 
j b 2 t 4 


antibewe he tachi? Aa do beets tithes aks sol ne aepdea 
gua gaia. tte et 2) eerie sel: 
) wee ee lbshng od*eid | oy eat bheckaes adtz 

‘enpaas. al eb _ 


wltsetssg vhca @5 qa: a Sad Tig wot wi iy joka 
belie yaenes pF bu) com 5 extaen! 

te joule es she wiges rina 
tue) abo: a: fiat eam a ro ty v'gen: el 
& dsasToaub whe yeiy ld eae eee 

: ee < 1 A by gees al . 


7 / 
oT orn ic ols na or Cad qt ot Aes 
f 7 ‘ ran Sh an 7 : 
a ; . >. _— ay a - 7 [3 : » - _ 
; i  é ae, fti3 ‘ ” Ye Peal Ya 3. 2 ' ino ‘ ; 


be given more Signature authority than others by 
storing a weight factor along with their keys at the 


KDG: 
b. Versatility and Dependability 


A number of improvements distinct from increased 
security can be built into the SCN to make it more 
convenient, more applicable, or more reliable. Some 


possible improvements are: 


(1) Throughout this chapter half duplex operation has been 
assumed for simplicity, in that only one end of a 
logical channel was expected to be transmitting at any 
time. Additional mechanism in the SCD's and KDC would 
be needed to provide full duplex operation, but 


implementation should be straightforward. 


(2) It has been assumed that packet switching[40] is not 
required; that is, a direct physical channel is assumed 
to exist between communicating users and messages do 
not have to be switched from one KDC to another. A 
packet switching mechanism would be needed to allow 
SCN's to communicate, necessitating an extra layer of 
mechanism in the KDC's. Messages would need 


identifying labels and special formats[7]. 


(3) A mail system could be implemented with additional 


mechanism in the KDC and SCD's. Some complications are 


dba 5 pooyone ~ 


J 


ot 


ti je rene 


i 
| Y 


: p etl > 


ae 


. » 
* A fiiaiae I : - 


iq » 


ai 


je 


be his Saeed 


8d ie ) 
; 7 otlve 
4 


O35 4% 


(4) 


sy) 


apparent because of the requirement for active RELEASE 
of public keys by their owners. A third command, 
'MAIL', might be added that would not require active 
key release; alternatively, users might generate 
Special mail keys which would not be protected by the 


history butter. 


For additional channel capacity, a hybrid system[12] 
could be implemented; that is, one in which users can 
encrypt material using a fast private-key cryptosystem 
Such as DES, with the public-key algorithm used to pass 
DES keys. Generation and storage of DES keys would 
have to be entirely SCD-bound to avoid the necessity of 
a large central computer, so although some 
modifications to the SCD's would be required the KDC 


would need none. 


Redundancy of the KDC and printer is required to 

prevent partial or complete communications failure in 
case of a breakdown[40]; additional software would be 
needed in the multiple KDC's to simultaneously update 
multiple history buffers and handle multiple printers. 
Redundant KDC's would allow faster network operation, 


of course, while they were operational. 


If the RSA cryptosystem is implemented faulty keypairs 
will occasionally be generated which may not be easily 


detectedubysuser testing.) 91lt isseasyetosdesignes 


49 


ea 


(* sud 


; at 


4 
ia 
<x 
“ 
| 
uy 
“q * 
R 


protocols tformmreplacement ort faulty key aiveach SCD 
always retains the two secret keys most recently 


generated. 


2.5 Applications 


Since the proposed SCN can be implemented entirely on 
small computers, it will have more applications than 
previous more expensive designs. Some possible applications 
include internal business communications, transmission of 
prescriptions from doctors to pharmacists, electronic voting 
and census (decryption keys would be obtained by 
enumerators), electronic notarization (including recording 
of patents and copyrights), invoicing (i.e., business to 
business or KDC/KDC communications), electronic funds 
transfer, transfer of securities by brokerage houses, and 
ordinary interpersonal use, eventually possibly the most 
MipoOntahusalDllCatlOnmor aa: 

Since the keypairs act as capabilities[14] or tickets 
conferring privileges on the key holders, the system might 
be used for interprocess communication and synchronization 
if implemented on large computers. If a logical channel is 
thought of as a resource that is shared by processes then it 
can be seen that process deadlock on a resource is 
impossible using our protocol and security in a distributed 


system is guaranteed. Damage to a resource can be traced 


50 


= Ad 
/ 
: hed Jan ti 
q 
¢ 
a: ee | 
i¢ A) RY ha PUt Pe ea 
4 eine = 
i La 
way : 
: of 
ase j ] a (vena 
y — ' 
av Fi d a9 ye Se é ' mY “eng 


ml sit lnenithaee Bre « 


ue 


lersie 
Py > »-s 
, - ae, / : 


back to the process that did the damage. 

An example by Whiteside[49] emphasizes the necessity for 
an SCN for internal business communications in at least some 
industries. Whiteside observes that a large oil company 
lost many millions of dollars by being underbid by a 
competitor for tracts in Alaska. Information belonging to 
the oil company was apparently intercepted by the competitor 
while enroute between Alaska and New York. The proposed SCN 
would have minimized the possibility of such interception at 
a cost of only a few thousand dollars for software, small 


computers, and modems. 


2.6 Summary and Conclusions 


It has been shown that a secure communications network 
can be constructed at low cost, if it may be assumed that a 
public-key cryptosystem can be implemented on small 
computers. The network is highly resistant to penetration 
By Outsiders and repudiation by legitimate users. The 
network departs from previous proposals in that only small 
computers are needed, users generate their own keys for each 
Gonversation, and a history buffer is included in the 
central mechanism to make it difficult for an intruder to 


ACLIVely USE aeStolen Secret Key. 


a) 


> 
f- mer tel! ba : tas): | 


3 me +e ee a it Sv 


ae I pas Pir 2} sats 


_ 


ein. ee . 


> we 7 ate 


o2 


In part, this chapter has been meant to aid in 
discussion of the interesting question, "How secure and 
impenetrable can we make a communications and authentication 
network, given the probably secure public-key cryptosystems 
now available?" After all, it seems futile to design a 
cryptosystem requiring an intruder to do thousands of years 
of cryptanalysis to obtain a key, if he can simply steal the 
key from an unsecured communications device. The proposed 
solutions are a first step in answering the question. 

We do not claim that the proposed network is impervious 
to all threats by a resourceful and knowledgeable intruder, 
nor that repudiation is completely impossible. Some 
forgeries may still occur. It should be kept in mind, 
however, that even handwritten signatures can be, and 


occasionally are, forged. 


2.ety 10 tncovieelt 
ete lgeed pighte ee wi 
eto Oey 8 | 
fhe + Sema ech ga tinier ot, bo aaa 

ive l+tec re pn eusafe BBs. wily galls re 
(eetesial’ dca naghag nan one iu }eoybaet § ya Sslenaiet 


a 20 


pase scale oh email ey! ‘nog salldogers todd 
ener Cl eee ite. (aa 29: 7990 


m4 | ad) PEP) eet adits VefTe calyras ethane: 


; a a 
| yan 
7 a 
- ’ 
Ho 7 
* r,. s | ri 
of te i on 


ek | a 


es 


; << 
1 Oe 


Chapter Three 


RSACRYPT: An Implementation 


3 ein troduction 


RSACRYPT implements the RSA cryptosystem on an AMDAHL 
470V/8 computer at the University of Alberta. The program 


was constructed for two reasons: 


(1) To determine the difficulties, if any, that must be 
overcome before the RSA cryptosystem can be implemented 


on microcomputers, and 


(2) To predict the speed of RSA keypair generation 


attainable on a microcomputer. 


In this chapter we first briefly describe the program in 
Seem COnecu2 weet hewdtahecuttaess faced™and overcome in 
implementation are then discussed in Section 3.3. Finally, 
in Section 3.4 we relate the results obtained to those of 
Michelman[36] to predict the performance of the RSA 
cryptosystem on the MC68000 microcomputer and to reach some 
conclusions about the practicality of the network proposed 


in Chapter Two. 


Ds 


, ee Me | 
1‘. a _ 
[NARA cect xan dala sonata a. . 

i | = aa oo ; 
=r 080, to oe eh 1 abo iu Fy ' 


rs 
op ie shay i 764 Miri . 
: \ iv 


ir ve ae 


* 


\ | ; ® ’ 7 7 
iaecvan: Jute Li Lee ru S273 ot4 srianemeh ‘on rc 
bes wists = ~ Ne vey <sovss5 Ae hed 2 apt sina ehae iad a - 
SPL ENY Stu died vgiog ners im no 7 
' f i t's ; , a : 
2p an ; yn Bs: oe ef iherg ae. 4) 
Rede od ATs | agent hea e: 
| | | ehh 
ai ‘ “ie Siista.s @ttei-s tear?) oe Sages Bid? aay 
1a Al 3 an Sa, ; a. ee 
£ eas ‘ ‘ahaa aa/o tus aeioad? .¢.t naigoee 
~ Fe ae : 
G 2026 cuteess (tas iepeiceit awdy ate shh qe! 


ts aagng (os Gel setae abtage- 47 of630% ow ibe? noi 288 
12h aria! de eonilteg 300 hd Jitter ey (arinoad Mok 

beats Oo CG ee < ee COGRGGM a@7 fo wedey ' 
bsaviper(y Nabepeq srt a IL" as! seeag eds jueda Bh 7 


Sabai a i 


™ 


az LniewrProgram 


It seems that modularity has been discussed only in the 
context of private-key cryptography[4]. However, an 
implementation of the RSA public-key cryptosystem also 
requires that very distinct modules be implemented 
separately. 

RSACRYPT consists of seven major modules and three 
modules peripheral to the RSA cryptosystem. Coded almost 
entirely in ALGOL68, RSACRYPT is designed to be easy to 
understand and use and to be user modifiable for additional 
cryptosecurity; itS operation and modular nature are 
depicted in Figure 3.1 (called modules are bracketed). The 
Seven major modules are organized into three groups as 


follows. 


Group 1: Global Modules 


(1) SERVICEPAK is a utility package that carries out 
functions such as the opening and closing of files for 
iiceraction with the user, for key) storage, and for 


encryption and decryption of messages. 
(2) MATHPAK is a multi-precision arithmetic package. 


(3) DESPAK contains all the procedures and tables required 
for a software implementation of DES. It is called 


WiLhAeeECEIiGMthe fipStucechanactercmolawhichsare 


54 


” 
a) Pa P : raw) 
vaweail nines ace sett dahlias 
i 4D 7 a voi talieg ane $ii3 
- « “a 5 De 
> Mae us 
: wit reine i 268) 
; i. 
, a) rm 
‘ ; i ae | ny. ANT j i . ae 
eds cid 
| laihatg idl: lite 
“> r Me ‘ ras j 
v4 
mar iy, (9 
\iaihipad rts (haba 
17.) te read wa) Ry 
"5 : 8 9 x 
t > 4 ' i} 2 } Ef eae 
a i! ¢ 


Ries <n hi ee aa aie: 

+! ie MS =. 

is LT, 29 eitense ee fy ¢ i. wy 
ire: oth oes 

; on gas 


Characcer Input 
& 


¥ 
DESPAK 
¥ 


Randomized Input 


KEYPAK 
PRIMEPAK (DESPAK) 
(MATHPAK) (PRIMEPAK) 

(KEYPAI RPAK) 

(MATHPARK) 

(SERVICEPAK) 


KEYPAIRPAK 
(MATHPAK ) 


KEYFILE 


CRYPTPAK 
INFILE > (MATHPAR ) > OUTFILE 
(SERVICEPAK) 


Figure 3.1. Operation of RSACRYPT 


treated as a 64-bit DES key, and returns a string that 
can be used aS a quaSi-random number. It uses block 


chaining for increased resistance to cryptanalysis. 


; 
: a : in 
aye , are mt -s - 
7 ae eee ee 


1! _ ui) i pit 
mw oF a ae 
hoa RE eae 
5 


—_ — 


“ay. i 4 


, 
(4 % id pi. ; 
ob ) ‘ : \ 


——— 


=_ 


Riss6' 


ie) 


(6) 


Group 2: Keypair Generation Modules 


PRIMEPAK returns, for any given integer, the next prime 
greater than or equal to the integer. The number 
returned is probabilistically prime; the probability 
can be made arbitrarily close to unity through user 


input of the amount of primality testing desired. 


KEYPAIRPAK 1s passed 3 prime numbers and uses MATHPAK 


topobtain anewlerd,i1) triples: 


KEYPAK interacts with the user and determines the 
length (in bits) of the keypair to be generated, 
invokes DESPAK to scramble an input from the user, and 
transforms the quasi-random number thus obtained into a 
keypair, with calls to PRIMEPAK and KEYPAIRPAK. The 


Keypair iSiwrittenstota@userespedi fied file: 
Group 3: Encryption/Decrypt ion Module 
CRYPTPAK encrypts or decrypts a message ina 


user-specified file. It interacts with the user to 


determine the key to be used. 


The three peripheral packages mentioned above include 


one to allow the user to choose between a key generation run 


and an encryption/decryption run, and two assembly language 


routines to allow visual editing of files and reassignment 


of logical I/O units without unloading the program. 


56 


ot | eee , 


- ak _ 
ee ‘ull ¥o a 


i 


i \ aia ay 36 deowo> s ah}. 
a rly : ' 

. 

ens q “ 


/ — : ate 
Nap ae seth PT eet) ee a 
4 Lo . ; 4 


. 
a 
“ee 
aa 
4 
es 


. 2230 758 Tou atts, ae Bs and ond 


. l faat @ P 2 
A NS bet ae ee | 
‘ MIRED Reve : 


Because of its modular nature RSACRYPT should readily 
lend itself to future improvements. For instance, the 
program owner could easily detach DESPAK as used for 
quasi-random number generation and attach a quasi-random 
number generator of his own design, or if a faster prime 
number generation scheme is devised PRIMEPAK could be 
replaced. As well, RSACRYPT should serve as an excellent 
basis for implementing other public-key schemes: any 
public-key cryptosystem may be expected to require a 
mathematical package, a random number generator, a keypair 
generator, an encryption/decryption package, and perhaps a 
prime number generator. 

Since the program is large and complex some measures 
were taken to permit verification by the user and possibly 
certification. The data structures used were kept simple: a 
few vectors, representing the integers p, q, n, e, d, and 
the Euler totient, are manipulated and transformed as 
required. Procedures were written with emphasis on clarity 
and documentation; most procedures have test drivers 
attached. 

A knowledgeable user could be expected to gain some 
mnderstanding of the program ina matter Vol tagiew hours: 
Even a rudimentary understanding would allow him to at least 
verify that the program does not write out a plaintext 
version of his message other than to the file specified. At 
a deeper level, he could verify that the program carries out 


the RSA and DES specifications precisely, with no 


_ eb: vl, ments soinisiioe 
7 te ‘<engaaes iiseae haved i 
une 3 2eaedse Soden tut gsi: a 

STi wet ee Beg sbdan ath yar egies: rs pedal 

wees 4 ; et dase msiiieat i Be ort teondaonan 


a: - binfas ba. " r 
2 Tecan: oe: Ba Staph al fold Eade LL sho: OF page 


pl feokemek 8 arent 


re 


a 


ana  sevbbenbe reeimear 
i" 


a 
ca 


page ied. 20 140 aah aoe ee, ot, aoia 

\ hice qa) hate sey Se wes Lala J snd rated a 

| “i ophivaetve 246 exeh <n: pence. i | 

: ; | i Edad dia} +] i i ball ‘ @wicoy m 

; Aion ry ties se o%@ GCinekabé selva, aoe 
"alo We ehcety S70N ae: Stes on runesoss boa . r a2 

a364278 725) 9 aA aie 4 SyeG en 

} oat 

ime cise o: Les gees Sivas. s8e¢ nee 
yvetuee asl 4:49 aa te6, Le i aden aaz 30 

sehen: a SI Piiat * cab | , 


deviations, or satisfy himself that the program is a 
memoryless subsystem that does not retain the prime factors 


p and q after a key generation run, for example. 


SeaeDitt1cudtves 


3.3.1 Quasi-Random Number Generation 


The generation of good quasi-random numbers is of 
Critical importance to an implementation of the RSA 
cryptosystem since if the seeds for generation of p and gq 
are insufficiently random a cryptanalyst might find a way to 
factor even a very long n. There are many methods for 
generating quasi-random numbers, ranging from trivial to 
highly complex; Knuth[29] discusses much of the theory. In 
this application a method is needed which is compact enough 
to allow the code to be easily implemented on a small 
computer, which still provides sufficient resistance to 
cryptanalysis. 

Two extreme examples of generators considered and 
rejected for this application are the mid-squares method 
used by Von Neumann and mentioned by Knuth[29], and the 
highly sophisticated TLP generator designed by Bright and 
Enison[3]. The mid-squares method involves the repeated 
squaring of a seed and extraction of the result's middle 
digits; the method is certainly compact but its simplicity 


leads to doubts about its ability to resist concerted 


58 


a - ir pin 7 ed - 
adibte 3 ku 4 pelius 4 saeit 
ay . q a - 


7 Lie — 
sof sé cl REO qoop-3¢ ani 
o - : ; 
i ‘ Pr) : 6 
> HOT Peahone epite: “See. 
} A-9 
: (ap TOT aDees. S82 
= a 
oar 
i eo. eSuk. beh o Fey 
a a y 
aid ah ra G ak 
‘ { yo 4s + Mm gfAet 4 
. sr J ie 
a? 
de 
r : £96) 0 =a ,« oltae, 
Bi) Dye ad 
At eis Ae abun eeeeh ie ee rath 
i » ’ 
’ _ “9 : f: a & ic fj ) bee ‘a. 
hla toe ¢. / 
Ze >. kere 
riz} Re ee Leiden - a 


s :F : 


ev) { oe ; RL ab \ ." Toes e ‘ bead 
wa bare 


' . i -y¥ 
yn” tae. (o5 pen Ge. sane tte 


cryptanalysis. On the other hand, the Bright and Enison 
method is anything but compact: it generates large tables 
and is suited to keystream generation on a large computer 
but not to quasi-random number generation on a small 
CcoOnputer:, 

It was decided to use a software implementation of DES 
to scramble a seed input by the user; this decision was made 
because it has been observed that strong private-key 
cryptosystems are by definition excellent quasi-random 
number generators[3,46]. The seed used is of the same 
length as the sum of the lengths of the three quasi-random 
numbers required (plus 64 bits for the DES key) and is 
entered as a string that, for practical keypairs, is at 
least 100 characters long. A length of 100 characters or 
more is probably enough to prevent the user from introducing 
an unconscious bias into the seed that would permit 
cryptanalysis. As an additional precaution, block chaining 
is used to scramble the seed even more than is possible by 
Simple use of DES; the number of rounds of chaining is 
user-specified. The quasi-random number generated is split 
Wjeoetnree parts that are used asmseeds ato generate p, q, 
and d for the RSA keypair. 

We believe that DESPAK overcomes the shortcomings of DES 
because this is a software implementation so the program 
owner has access to the DES tables. Since changing even one 
Dit Sineanyectathes tables wil @radicaiily alter the ciphertext 


obtained from a given message/key combination, the owner can 


Sye) 


mee a 
ae We ae a 

> we, realy tae | 
7 weniger’ spre: 


$o.)\age ooo elegy 


= 
1 i; 
7 


liea= 4.¢3 


7 


s65° cow prieioes Shit ae Pry ~T seca base ida : 
‘aerate ts 7G phage ‘emis Gewagens 790 ead bas ken , 
Pnet- eiap on i ehn vin belle et vid Oued P ca) are: 
Milf 


ies ae + ah bee Goay af? tee lane sitwney 4s oe 


Bar 
gp eAS iW 17 gn Be wr Yo “lege oy om Gap mel. 
ries ; A 
a yt 4 bist fe, of. basiege x 

@% 
a9 2 > sapaiele : ie? yore? 4 9 #6 vpoaga 

{eT Re peee > | a are 
; Ree oe ee 'fddiots Ry 


(ise heyvoy palais ad? tere! ah sa id 


a ie or Mi 
on aa ai) I Sieg ¢ %, Poovss J 37 PY Le es ai eel annge 
iy SSA] ee 2 Se cas 2 (246 > alenien ot ai 
yi : 
gi Gnlnde<S ie AARURE is, 72dnacag? aN de ari, ah mia, 


= oe 


iia. 2) begsaseg! sata bine * | esep wilt mie 7 ree : 
.q/atdhaney, of Shige ae Dole oh gait 2 
oF hs 


' 


bats] wae ome ai 


ige to apedte sre 


60 


ensure that the hypothesized DES trapdoor cannot exist. 

Additionally, in this application the quantity of 
DES-processed text is small (a large quantity is necessary 
for cryptanalysis) and unavailable to a cryptanalyst since 
it is further disguised by transformation’ intowan’ (e,d,n) 
triple. 

One shortcoming of DES that DESPAK does not resolve at 
present is the short key, but the key length could easily be 
increased if deemed necessary. Even more security would be 
provided by increasing the amount of input by the user and 
discarding some of the scrambled output before use for 
keypair generation. We believe that a 64-bit key is 


probably ample, however, for the short 'messages' encrypted. 
3.3.2 Prime Number Generation 


The method used for prime generation is the 
probabilistic method outlined by Rivest, Shamir and 
Adleman[42]. This method involves the use of Fermat's 
Theorem: for a prime number p and any integer a < p it is 
always true that 

GimGee(s) = i) sGneleelle, jen) 
A number p is tested for primality by applying Fermat's 
Theorem repeatedly with a number of different a's. If k 
tests are passed then p is prime with probability 
(aay Gee kr 
Piapetaiisovd ibestethen 1b)1seincrementedeby s2eandslesting 


begins anew. Rivest, et al. believe that on average 


‘aa 


a an av i) 


iq at a ; 


aan 


ses sine | 


Be 
or) 


Al Aad: 
o 


4 7 


ES! 
Ieae 2) Jno? Qomeesons 


Pos 
J 


iyigg "] ee uae Bd Minsnes ee ® 
veo ee | 


Bs aoe 
‘A: > @) 
pte ile 


approximately 150 candidates will be tested to obtain primes 
of the recommended sizes. 

Obviously, the generation of primes using Fermat's 
Theorem can be done with the same routine for modular 
exponentiation as used for encryption, with the only 
difference being that in encryption the modulus is constant 
for a number of message blocks whereas in prime generation p 
changes frequently. Therefore, a hardware 
encryption/decryption unit, when one is built, can be used 
to rapidly generate keypairs as well as encipher messages. 


Two questions occur when programming this algorithm: 
(1) How should the values of @ be chosen? 


(2) Modular exponentiation is a time-consuming process. 
Can its use be avoided to some extent when generating 


primes? 


In answer to the second question, the use of modular 
exponentiation has been reduced by approximately a factor of 
5 in the following fashion. 

Given any odd positive integer, p, one easy test that 
Benecr Sass ,eOr scl enOnspDrIMeomise On d1V TOC spa bYss2 mms liis 
ToeaA Can ber extended tO, division by 5,./, 5 | vwand solher 
Stale primes eaDiViSlon Dy  themrirsts  Sotia le primeStnejec Gs 
approximately 80% of all odd mimes as poSsible primes. 
(Extending the list beyond 8 primes will only increase 


performance slightly.) 


61 


ain 


aah ane 


5 ? 
iy ca - § -. atte s YM 


| | ad ee ee 
7 ; ane i ; ate > my ieiy ae a 4 vr a 5 
in ; Man ' vs P| 
4 re gohve a fp ; r ‘a O03) 
| : 0 } (M43 “Af 2 hae a i rs 4 
Pei ie ae oF, | a kd te 
r ea? ie? a4, 90 ony 


“wey. Me 


in 
‘ 
cd f Te inet ze Ph (oe ale in 2 jn 


To avoid dividing every candidate for primality by all 8 
prime divisors, a count is associated with each divisor that 
is initialized to zero when the divisor is found to evenly 
divide any candidate. A count that has been initialized is 
Simply incremented modulo its associated divisor for all 
succeeding candidates. After only a few candidates have 
Deen teStedsinethiseeashionsad@) countsSearel ineitwa lezed and 
division by prime Biss Agere is entirely eliminated. 
Henceforth, all counts are incremented for succeeding 
candidates and whenever all the counts are non-zero modular 
exponentiation is used for further testing. 

Returning to the question of how the values of a should 
be chosen, Rivest, et al. suggest that random values be 
used. This suggestion need not be taken literally since all 
that 1S required is an unbiased set of a's that gives each 
candidate as fair a test as possible; furthermore, in 
practice, the generation of quasi-random numbers is far too 
time-consuming to generate the many required values of a. 

RSACRYPT generates a@'sS rapidly and with very little 
memory requirement in the following way. A short list of 
digits is entered as randomly as possible by the programmer 
Decoremocnol lation .us DUT Ingeamnun, sca S always initially set 
to 3 as recommended by Knuth[29]. As succesSive values of a 
dre needed, sdigitemirometheyshortalistearesprependedsto the 
current value of a. If prepending alone were used, however, 
@ecoukdeqrowelanger thanep, whicheissunacceptablembecause it 


is unnecessary and slows down the generation of the primes; 


62 


ie } eS _ 7 me ¥ | - A 
uit a cee 


ze Fi@red.nq: th 

ifn 394% s5e) eh ‘Hl Ace af badd dtaien 

ead netabibaky Gat! date harem e299 bDy 

She Ga thats sing ee rhe ui ign? otter 
sess alee phe idoe zt Catal fs Pepe we 

vai hesorug ua Regge sii wig 207 + tee 116 

[phan 4%$s 024 Qeayee: e432 tq 29" ore hae gh ‘ 

tae Te ba 18% Secu a 

bidigize 's 2 w OS [a4 uy oh Paes ated en oe. ee 

wae 7-2 ita 4 can a . Tee hail 


y ? 


([é noned Yisspeeset TP te, es) el ob bite bs try = 
icone corey TEE_4 0 ea St riba ite Ai Hint ietchal de 
teh 3 al th aie | ve > eb a f viet 36 #1bi bom ; 


ney | ai , 
a 4 nah ed | Sanaa eee 16h sideehee $02 ot as 


kilt 


niet 
pub 


* 


Ve 


te 


ay 


&. t¢) Spolsy bea eps guaP | a oeaig S? getance se mts 
bol. ey ae Peele Wags 2 °4 a a a 
fe 292) Gaeedm Ay”. gal rewaDt pt eMA pad aati 7 ; 
p=aarre- of, nl, 12 wT Clene ee ciagbeer ¥a berailing et stk Le 
gaa vtia(t.at a¢aese al a S eine deans 
be To cow lee ev Seaiesoun ,,- eR nesanie set teousg 


ht oa ite a phe me ea 


AD Spanier: 
7 
Oy tah . cs 
7 7 7 


therefore, when many tests of primality are to be done an 
increment is computed and a is sometimes incremented by the 
computed amount without prepending. In this way, the many 
values of a are folded into a small amount of memory. Since 
the user specifies the amount of testing to be done, which 
determines the increment, the programmer has little control 
over the a's that are generated; in a sense, they are 


quasi-random. 


3.4 Analysis of Results 


Recall that modular exponentiation is used for both 
encryption/decryption and key generation in the RSA 
cryptosystem. Modular exponentiation requires the repeated 
use of multiplication and division (see Chapter Four) and is 
Ota egtetheastandard™ O(n eeatoqortthms foremultiphicatzon 
and division are used. 

The results obtained from RSACRYPT, combined with 
Michelman's results[36], permit the prediction of the 
performance of the RSA cryptosystem on microcomputers. For 


brevity we derive timing estimates for only the MC68000. 
3.4.1 RSACRYPT Results 


RSACRYPT encrypts, decrypts, and generates keypairs very 
Slowly because of the use of ALGOL68 and a radix of 256 to 


represent integers, as well as the use of the standard 


63 


a aa so 7 Ge 
ee Th i 


a4 ‘ua hevebiae ne 2 


vrs 


if) i 
oo) oye. at fi 
Soria . Yoon te +i 
Aprme alga es <a 
13177201 it ont: Serta 
ah. {1 Sahin wh net 1A rei iy : 
ry sat 
- y ; 
- 1 P a: " 
2 1eyRen? 20 ee ae 
A " a 
, F | } | 
' j ‘ Ai 7 
id ‘ond bbe er ae eg At eae sant ILer08 
ot : Ai : 798 ' 7 


' 


ihe 5 aed a 
.4 jagead ay Hes Ft ae * hes ai naaersa dy 
2h fb es FUL hab 


msypttqesiée Sal 
ein - yeas - Dre (-pemaneta, eile it (nla 
| “rr are wna 
aay tos tates, TOR ce Se eaineNs 4 
re: 2! wing ais ht eee an J 
1 .e7eTeGhose om i Saat 64,34 Soetemaiaribates 3A 
One sd ads tag snare j20 ‘side aviaahs a+ - 
| 7 ct 
nT : | 


64 


algorithms for mult iolication wand divisions” Tablew3 \} 
illustrates the encryption speed of RSACRYPT for various 
Sizes of the modulus n, with the key (e or d) the same 


length as n. 
n Size 
(decimal digits) 


(55 SCS V2 EbTts) 
Zi Oma Omoracs 


Bits Encrypted 
per second 


Shs) 
Ons2™( projected) 


0.13 (projected) 


Table 3.1. Encryption Speed of RSACRYPT 


The first 4 values in Table 3.1 were obtained by actually 

running the program, permitting the solution of 4 equations 
in 4 unknowns to obtain a timing formula, which was used to 
obtain the last two (projected) table entries. The timing 


formula for encryption/decryption is (in seconds/character): 
i= oe 0 OSes 05 bi greae 1 29207255) noe Ose 7194) ns 


where m tS the number of radix 256 digits im the modulus, 
CRSAGRYPT@tises avradixSobe25On8Table 39141 50in vdecumal 


@iqrts forvconvenience. The conversion between the two 


1 If M(m,n) is the time required to multiply an m-digit 
With an n-digit number (radix 256) and if D(myn) Vis® the 
time required to divide an m-digit by an n-digit number, 
we have found that the timing formulas Or 
Milctplicacion and GQivisSion in sRSACRYPieare: 


27 + 36n + 62n? (microseconds) 
1230 + 532n + 56n? (microseconds) 


M(n,n) 
LD 2ia) 


5 ae 
‘Ag! r 7 aba 


ra 
Ba out 2) 


," ee ; 
7 see 4 enue 


Kadices is done byvassuming that 3.3 'bits is meededeto 
represent warraduxe10edtgrtaandeSebitsptobrepnesentea macix 
25600104, t. )) 

Since prime generation makes use of modular 
exponentation it too is O(n*), permitting the same technique 
to be used to obtain a timing formula. Table 3.2 shows the 


times for key generation for various key sizes. 


n Size Time to Generate 
(radix 256 digits)| Keypair (seconds) 


60 


100 
130 
5/10 
1 SS Golieety tsi) 6689 (projected) 


Table 3.2. Key Generation Time of RSACRYPT 
(5 Tests of Primality; Ordinary Primes) 
The first 4 entries allow the derivation of a timing formula 


whicherGmunn Second Spi: 
Tes | 52 aie onmoeO. 2 oon? £9(592/419347 ne 


where ntis the number of “radix.256 digits in the modulus. 
The last entry in Table 3.2 has been obtained using the 
above formula. 


Two things must be noted about table 3.2: 


(1) The primes generated to form keypairs each had only 5 
teSstemotepmimaluty. (thatwicjeo ams )iqeeRivest;gohamiry 


and Adleman recommend 100 tests of primality. 


65 


a 


ot | 


aa 
ee 
Satan 
waka 
. 
; hom Ty Loe 
) ~- 
i 
<a moe 7 
; “- bie + , 
sil eile Aira P nips 8 
i co 
le Va 24 av 208 phir 
: : | 
wee ee 
a 2 eee 
josy? : 
rt 
ih a 
enh 
1G, 
4 } 
Vb 


=e 
sic’ Mage wir 


oe 


‘ sigal 
wr be 
yy $ 1 | Gtr __ oon. . 


~~ 


ao7 4 
a 


- 


- hat te sleet 


66 


(2) The primes generated do not conform to the Rivest, et 
al. recommendation that primes, p, be generated such 
that prishasta@larcge@prime: factor, ufeand thateu-Iealso 
has a large prime factor, v. The generation of such 
primes p can easily be accomplished by first generating 
a prime v, doubling it and adding 1, finding the next 


prime u, doubling u and adding 1, and then finding p. 


Be 42eMichelmaneseResults 


Table 3.3 duplicates the relevant results obtained by 


Michelman. 


Key Size =n 
Machine/n Size (bits encrypted 
per second) 


16-bit Machine Size(PDP11) 

200=decimal-digiteneSize 
without cache(PDP11/45) 
with cache(PDP11/70) 


100-decimal-digit n Size 
without cache(PDP11/45) 
with cache(PDP11/70) 


32-bit Machine Size(370/168,cache) 
200-decimal-digit n Size 
100-decimal-digit n Size 


Table 3.3. Michelman's Results 


Michelman's implementation is 1.5 times faster than an 
implementation using the standard algorithms coded in 
assembly language would be, because he uses a variant of the 
Karatsuba technique for multiplication that allows 


multiplication to be done twice as fast as with the standard 


ee 


; pa owiig oad em 
§ f = — _ . ab 


. 7 
ss nas “—e widtq 


bag 4 a 
tae 


67 


algorithm and he uses standard division to obtain 


remainders. Michelman observes that his results are not the 


best that could be obtained: no special coding tricks were 


used. 


3.4.3 Projected Encryption Speed on the MC68000 


Michelman's results for the PDP11/45 can be used to derive 


Table 3.4, a table of expected encryption speeds on the 


MC68000 assuming that the same algorithms as Michelman used 


SgemUSede Or MUlt1p) 1catlon andediva sion. 


Key Size =n 
Machine/n Size (bits encrypted 
per second) 


16-bit Machine Size(MC68000,no cache) 
200-decimal-digit n Size 
100-decimal-digitwneSize 


Table 3.4. Projected Encryption Speeds on the MC68000 
(Same Algorithms as Michelman) 


Table 3.4 was derived using the following assumptions: 


(1) 


The overhead of multiplication and division on the 
MC68000 (i.e., indexing, etc.) will be the same as on 
the PDP 11/45, everything else being equal. That is, 
if the MC68000 could do a 16-bit multiplication at the 
same speed as the PDP 11/45, modular exponentiation 
would be done at exactly the same antyd as on the PDP 
11/45. Given the improved architecture of the MC68000 


this assumption is expected to be conservative. 


(2) The PDP 11/45 used by Michelman took 3.5 microseconds 
to do a 16-bit unsigned integer multiplication. There 
are various possible multiplication speeds on a PDP 
11/45 depending on the type of memory used. 3.5 
microseconds is an intermediate value (PDP 11/45 


Processor Handbook). 


(3) The MC68000 with an 8Mhz clock takes 8.75 microseconds 
to do a 16-bit unsigned integer multiplication (MC68000 


User's Manual). 
3.4.4 Projected Key Generation Speed on the MC68000 


We can now eStimate the time needed to generate keypairs 
on the MC68000 with the same algorithms as used by 
Michelman. Since a number of assumptions have been made, 
and since we have not verified Michelman's results, the 
estimate derived may be somewhat in error. 

From Tables 3.1 and 3.2 we see that the time to generate 
a 512-bit key using RSACRYPT is projected to be 6689 seconds 
and the encryption rate using a 512-bit key is projected to 
be 0.32 bits/second. The encryption speed on the MC68000 
Hsindea 5i2-bit keyeis derived to be i2.85bps etby susing 
Table 3.1 to compute the ratio of encryption speeds using 
200-digit keys and 155-digit keys, and? then using ehiseratio 
to compute the rate for 155-digit keys on the MC68000 by 
multiplication with the entry for 200-digitekeySvan Table 


3,4). Therefore, we anticipate that generation of 512—-bit 


68 


a aeieey B a. . pie of needy ry ate 
; i) ae os 

SI te 1 oa 
ire 0 | 


ali 


is 
Uy 
+ 


a 
| nae 


69 


keys on the MC68000, using the same algorithms as used by 


Michelman, will take 


Ti= (0.32 x» 6689) / 12.8 = 167 seconds = 2.8 minutes. 


TMHesgeneratlonsefe primes, p,mwithep. (enaviggeam large 
prime factor as described previously, will take 
approximately 3 times as long as the generation of ordinary 
primes. Only the factors of n (i.e., p and q) need be 
generated in this fashion; d can be an ordinary prime. 
Therefore, the time to generate a keypair in the recommended 
Pashion will increase by nowmore than a factor ot, 2.33.58 In 
fact, the increase will be less than a factor of 2.33 since 
the d's generated with RSACRYPT were 1.5 times as long as p 
and q and took a larger proportion of total key generation 
time than p or q. Therefore, we conservatively estimate 
Fnac the generation of keypairs in the recommended fashion 
will take twice as long as derived above, or 5.6 minutes on 
an MC68000. 

If each prime is tested 100 times for primality as 
recommended by Rivest, et al., it can be expected that 
Generation of a 5i2-bit keypaicewill take a00/5)(5.6)e=))2 
Wanutes or 1.9 Hours most of the time, “since only isot 32 
primes generated using 5 tests will be rejected by further 
testing; occasionally the time to generate a keypair will be 


substantially greater than 1.9 hours. 


7 


_ a 
7 - _ iV, | ; 


oe 
¥ 
Fo nnn 
- ‘ ' : ri ae 0008 
#3 ; we 26 am A ong ae am - ws rs i 


Fy (oom ie rs 
vs wot ’ PA ot y 4a 
BY aia Bak i 
pes Risin Pee 


id Tie ee 


aha 
26 'gh6 


70 


3.4.5 Projected Rates With Improved Algorithms 


PneCnepter Fourmswesshow that fore5(2-bitakeyoal series 
possible to carry out modular exponentiation nearly twice as 
fast as by using the algorithms used by Michelman. Using 
our improved algorithms on the MC68000, keypairs will be 
generated in 2.8 minutes using 5 tests of primality, 56 
minutes using 100 tests, and messages will be enciphered at 
approximately 25 bps using 512-bit keys. 

A fast typist types at 60 words per minute, which is 40 
bps if a word is assumed to be 5 characters long (8 
bits/character). Thus, if the improved algorithms described 
in Chapter Four are implemented it will be possible to 
encrypt at a rate exceeding the speed of a better than 
average typist, with 512-bit keys which will provide ample 
cryptosecurity (see Table 1.1). 

A key generation time of 56 minutes is too slow for 
application in the network proposed in Chapter Two. In 
practice, however, we feel that it is unnecessary to test 
each prime 100 times since users must be able to easily 
change faulty keypairs in any case. We recommend that 
between 10 and 20 tests of primality be made for each prime. 
Since 7 primes are generated for each keypair (3 each for p 
and q), keypairs will have a probability of 1/146 of being 
bad if 10 tests are used. Generation time will usually be 
5.6 minutes using 10 tests, enabling SCN users to have a 


maximum of 85 conversations every 8 hours, which is ample. 


1 ili? ee 
si Pialais rr 

24 —@y> (¢96ah'  &, a3 Oe 

{ ) ig 


palad ..jineay ie 2 
ms wh 


fier ott il 
ta pet: oat . * 

F ee: ae ware A. a a.t =o 
fe fet ongtsns 8g ids, alae Aad ares oo gril de 
i oe vqd Bg Js 

2937) ag asi 


w itey ’ Bee 


tu ‘ 7a 2 2o%ow. 


beessde:? sw J “2 a hrew 6. ‘a t 
| sami ec vanes it Af asi ace 


Syn 1? vg 4 } eamek “eM wes 299% ay i 
Y i ee am PGS; wet! i or a afi a I. 7 
at inches LE Se 25 pe Jal Dome Els “heat adie ° 

- oe etic’ ian efi wosendy 

io. Wel sa2) = Lesbabni dy nd: tha? P oe aie set caida yo 


oa SAND hy MEmage TS 4 Knee ot pak ed 


S203 + yaa sSanny a BA! (ees) , rt ig rs 
os mi | 


>A + sah erat: Toc te pauans ie 
643 Bineud 7s2 We os . o ie a¢ ossupend bet 
ee Bi coc RE tae 9 


th , 
i 2 
a if ef 
© 


| aa 
i) 


7G Wea os 
® tal rises’ ! rt 


AAbits t6 air ‘7 ‘ou 


apt er : eee? 


+ 
re " | 


dl 


Every two or three 8-hour days users can expect to generate 


aetaultys keypair, 
3.4.6 Projected Network Rates 


Recall that in the protocol designed in Chapter Two some 
messages are enciphered once and some are enciphered twice. 
Assume “thatwkeysmares 512° bits long and@that encryption speed 
is 25 bps. With these assumptions, single encryption of a 
512-bit block takes 20.5 seconds and double encryption of 
two blocks' takes 82 seconds. For A to receive B's key, A 
enciphers an outgoing message once and deciphers an incoming 
message twice, for a total of 102.5 seconds. B also takes 
102.5 seconds to transmit his key. The KDC does twice as 
muchaworkPas’ either A or’ Bs tLhuss theeRDCirakes 205e@seconds. 
Equivalent amounts of time are needed for B to receive A'S 
key. Further, A and B must each take approximately 5.6 
minutes to generate keypairs with 10 tests of primality. 

Therefore, A and B each need 9 minutes of computation to 
exchange keys and the KDC takes 7 minutes to effect the 
exchange. In other words, network users are limited to a 
maximum of 60/9 conversations per hour (null conversations), 
or approximately 6.7, and the KDC can establish a maximum of 


6U/dm=2 6.5 looical channels pers hour., “ined onoursetwosusers 


: Two blocks of 512 bits are needed to encipher a 512-bit 
key (e) and the other information transmitted with the 
key. The modulus n can be openly transmitted since it 
is useless without the key. 


7A 


co 


oa ) 
fe Svea’ 

L : 
s,* 


+} wn re iL ad 


will actually be able to have only 53 conversations, not the 
85 estimated earlier, because of the limitations imposed by 


Phew protocol’. 


3.5 Conclusions 

Lercan®betiseen Erometstudy totekigure Se iMthateonly 
relatively small portions of RSACRYPT need be in a 
computer's main store at any time. It should therefore be 
possible to implement the RSA cryptosystem on a computer 
with limited main memory. 

The factor of 5 increase in speed of prime number 
generation obtained by using a list of prime divisors for 
preliminary testing is seen to be significant; otherwise, 
keypair generation would not be practical in the SCN 


designed in Chapter Two. 


12 


etnias” 
| | ih ah ‘en 
| wf iio sl 


5 


16 lies. 
9 an a hae us 


7 ut 
i‘? ashi 2o Bese, 628 


ae rate. Oe ‘sei nt ,: we Lai, 2 of a 
a: iP, are et a va es OEE: 
< : nd tape < ma > & 
a a Re veers _ : — ; 
pad ay , 


7 .: 
i. 


. 
oa 


¥ 
iM be 


y 


Chapter Four 


Towards Faster Modular Exponentiation 


4.1 Introduction 


A practical implementation of the SCN designed in 
Chapter Two, using the RSA cryptosystem on microcomputers, 
requires an algorithm for fast modular exponentiation, both 
to permit a convenient channel capacity and to enable users 
to generate keypairs frequently. 

io Eni sW@chapter awe Sficstiushow, Bin sSectrones. 27eiow 
modular exponentiation is done using only repeated 
multiplication and division (to obtain remainders), implying 
that one way of speeding up modular exponentiation is to use 
fast algorithms for multiplication tandsdivisivone® Since the 
aim is to develop a practical microprocessor-based SCN, 
however, algorithms that are asymptotically fast may not be 
Suitable for improving the speed of modular exponentiation 
ifeoractice because of high timing constants or for other 
Practical réasonss = "Section 4. 381sta ybrielsdiscussiom of 
several possible methods for improving the speed of modular 
exponentiation that we have found infeasible without further 
research. 

In Section 4.4 we develop methods for multiplication and 
obtaining the remainder of a division that enable modular 
exponentiation to be done 3 times faster than by using the 


Standard algorithms for multiplication and division. The 


TES 


¥ 
43 
‘ 
i) 
i 
17 
‘ 


had gash tear Tey yeaa 
wuly ats rs Na 4) 


method derived for multiplication is basically an extension 
of previous ideas, involving nonrecursive use of the 
Karatsuba technique, and is a practical method that will 
work in the range of numbers used by the RSA cryptosystem. 
The algorithm designed for finding remainders, on the other 
hand, is a general algorithm that can be used in conjunction 
with any fast multiplication algorithm to obtain remainders 
with the same time complexity as the multiplication 
algorithm used. 

Although it appears that microcomputers exhibiting some 
degree of parallelism will not be available for some time, a 
parallel algorithm that is evident from study of the 


Karatsuba algorithm is also presented in Section 4.4. 


4.2 The Modular Exponentiation Problem 


Modular exponentiation is the computation of 
mte (modulo n) 


for m, e, n integers. In the RSA cryptosystem m (the 
message) and e (the key) are less than n. 

The procedure recommended by Rivest, Shamir, and 
Adleman[42] for carrying out modular exponentiation, called 
exponentiation by repeated squaring and multiplication, is 
discussed by Knuth[29]. The basic algorithm is (from 


Michelman[36]): 


oe eae ha a i a 


| | “ ire y 
obey dy i ol ihe thy - ie K ihdas me nck ™ 


nafs fo 

Rr Bi ih 
ee nga alginoe Le 
we \ eo 
a Fay tare vag ag ; 
wer 


aati " dhe i 


el Get A 
Eorg™ to Vocrtte) 
do 


Ch =h rem Mere) in) | 
Tie ea thenycescrrem((ctm)pn mel serskipett 


od; 
The rem operation is done to keep numbers in a manageable 
range in practice. The result is congruent (modulo n) to 
the result that would be obtained by simple exponentiation. 
Note that, if mM anden are d¥diqitsmlongq™ then after each 
multiplication or squaring c will be 2d digits long and will 
again be d digits long after the rem operation. 

Exponentiation by repeated squaring and multiplication 
is essentially a method of evaluating powers by grouping 
multiplications so that fewer multiplications are carried 
out than by using a straightforward approach. For example, 
to evaluate m'’® where m is an arbitrary integer, we can 
compute 

mxmx m xeeex m 
which requires 18 multiplications, or the multiplications 
can be grouped as 
(oC Cite ae ty) ae) coor) axe 
which requires only 6 multiplications. 

To perform the grouping automatically the exponent e is 
treated aS a program that causes squaring or multiplication 
to be carried out in the correct sequence. The exponent is 
consiaered a bit string: ingourtexampleyii9,78is 100112. 
Phe bit) strinqlissreade fromelefitivoeri ght right atoslertican 


also belmadesto work) and ifethetbit readwis® 0+) then=only 


a) a =~ 
. 7 

wt ite Lads i "ag jects rh, ayo iF rain " a : € ; 

Farms 


t 
rine 


“42 


7 AS 
: ay beevii siti yim pr 
; ht 


. a 
yo4 Sr Oba 1? pigs = « get af 
; ¢ 6 r ae a 

if 


a a 
6 
) ? * Loe, i i - _ 
i L LA » a i > "7 
a od i ite a7 ; 
| ie eh 


76 


Squaring takes place; otherwise squaring is followed by 
multiplication by m. 
To illustrate, using 10014, as the program and with the 


VaEtable c initiallyed/ethes fol lowingesequencesis obtained: 


ac Ve Vespa 2 y WS (eh, FES ory a 
b) co s= mc =m 
Ph. fats) leeks, <0 0) Ce =7 CVar= aie 
Sie Siete! Vote, <i 1 Cera aC a= ame 
he beley debts ©: aecR: =Baeeeeme 
byes =nme- =em- 
Ss, Seley epee a) Ce tac + es mt 
5b) Mo): =Sncee=tmie 


4.3 Approaches that are Infeasible in Practice 


This section is a discussion of some ideas for improving 
the speed of modular exponentiation that are inapplicable 
for use with the RSA cryptosystem. In our discussion 
512-bit numbers are used as a basis for illustration, for 


three reasons: 


(1) 512 bits is approximately equivalent to 155 decimal 
digits, which provides acceptable but somewhat less 
security than the 200-digit key recommended by Rivest, 
etfalm, sNotemthat factorizationmoiiiags | 2abitykeyawould 
Still take many thousands of years. An SCN using keys 


SLesii2iburs® vould#@besacceptably secure: 


(2) Some multiplication algorithms require that the 
multiplicands have lengths that are powers of 2.) 1£ 


the lengths are not powers of 2 the multiplicands are 


iy rn 

gopees ged. (ey gat 
ot vas eon, a\ les 

nok bulletin taae 

129 fq laeqaeest!. i208 pore 6 #a an nae ae 


py te 7 


fuvloal! Fit o2 ai igs wLorwunt 

ened semiiompe as vn + stan 
seavvar ee benameatey i pie — newt ga taaen 
hhiow Yar 2 igegta ‘eet 
ait Cea a wah ; 


Ti 


paddedswithed "sm BFOrecllanity eit wsepreferanleastomavyoid 
discussion of the padding process and other trivial 


details: 


(3) A consistent basis for comparison of algorithms is 


needed. 
The infeasible approaches discussed below are 
(1) Reducing the Number of Multiplications and Squarings, 
(2) The Willoner Parallel Multiplier, 
(3) The Toom-Cook Algorithm, 
(4) The Chinese Remainder Algorithm, and 


(5) The Schonhage-Strassen Algorithm. 


(1) Reducing the Number of Multiplications and Squarings 


The method of repeated squaring and multiplication does 
not always provide the optimal grouping of squarings and 
multiplications. Knuth[29, 'Evaluation of Powers'] analyses 
the problem of finding an optimal grouping. He discusses 
four related concepts but only one of these can be applied 
to our problem. This concept is that of forming an addition 
chain in which the shortest possible sequence of additions 
igigenerated that having aseits sum the exponent to tbesused; 
the sequence of additions provides the program for squaring 


and multiplication. Unfortunately, finding a minimal 


eles a9 er! an100 4 


Ds 99 


addition chain for an arbitrary large integer is extremely 


difficult, so this idea is unuseable without further 


research. 
(2) The Willoner Parallel Multiplier 


Willoner[51] designed an O(n) parallel multiplier which 
hewsuggestsimighe fine application: inecryptograpnyeuss t 
built, it would certainly make encryption much faster. No 
parallel divider would be required if the PFRA algorithm 
developed later in this thesis were used. Unless there is 
an unanticipated demand for the device, however, it is 


likely to be expensive for the foreseeable future. 
(3) The Toom-Cook Algorithm 


Knuth[29] discusses the Toom-Cook algorithm in detail; 
it is a recurSive, divide-and-conquer, generalization of the 
KaratSuba algorithm. Unlike the Karatsuba algorithm, which 
splits multiplicands each into two halves and uses a special 
mukeplG cat lon. ordere tonmul biplys halvesy® thee Toom-Cook 
algorithm’ splitsimultiplicands intosriv portions wither 
increasing with the lengths of the multiplicands. That is, 
Phe wengerscnesmul taplicandcethe mores partstthey@are broken 
Bree 

Study of the algorithm shows that it proceeds in 
letepst ,-in that+iterequires multiplicandstot 62ebitseor 30 
ies) Or 620 Hits ore 1280ebitsmmetcia tor be placed’ on amstack 


initially. In other words, multiplicands must be padded to 


78 


- 


doldw sel igi i iui cotton 
li .ydeebereghey adopt 
au ,2e8est dou aise ake, dina io. 
in 7 “ 


-ic AGH Rd BE boriuean “bluon 3 


“boi $e 


1476 
ai siers aoslov » .Reeaey 2 sails: d> ib ase oe 
> , eves ne eniyet sfc toe ipa ety hated tse 


e40ce) 5 eit parint ij + sees ed or ¥ 


astiter! A sot of 


ob nk efseebete | aebleon - Fes He es is i 

wis te ! jan Lie tetep omaigesrenans vib cae on n 
dsity ,wtas4a a srtirty reve ead mz. eer ‘ aals ae 
ait mgs @, e4ay brea cat ome o2nt 2268 sie shia | 
jen. GeeS? wiz aawiiaane Hiistun\¢4 tabing 198 , si 
ee otes ates ttqheiue eatin 

Soe <i ad te adegael nly: isin 


tert ean Gove ere dical-aas ogpietciontn 


Bei _ 
a 


these lengths, and only these, before the algorithm 
proceeds. If the multiplicands were 320 bits in length the 
multiplication might proceed efficiently, but multiplicands 
OFS P2ebiits" requuretpadding stos|280) bts. # Thissamountmwot 
padding would cause a great deal of extra work to be done, 
so much so that we estimate that the algorithm would take 4 
or 5 times longer than standard multiplication to multiply 
512-bit numbers, without considering other overhead. The 


algorithm is therefore inapplicable without more study. 
(4) The Chinese Remainder Algorithm 


The Chinese Remainder Theorem provides a technique for 
converting from residue representation to the standard radix 
representation. To-.convert from radix to residual 
representation a number is divided by some relatively prime 
numbers (moduli) and the remainder, or residue, of each 
division is retained. Numbers in residue form can be added, 
Subtracted, or multiplied timeOUn iitime ys ibutmnoseffiicientmway 
Gicamrying Outtdivis 1 Oniersm@aiown qe Abeemyeherdesi ned 
operations are done the result is converted back to radix 
form. 

Aho, Hopcroft, and Ullman[7] show that the time 
complexity of converting between radix notation and residue 
notatzomers, O(M(bk)log zk) where ebaisiithesnunberpot bits in 
Gach of the relatively prime moduli, k is the number of 
Modus band Meas =the time (tO multiply etwomiunteder cs  ebecauce 


the process of conversion is so time-consuming, a single 


fs) 


at: dogagl eh an 
+> 

soewatlataiew sh AM ; 

7 


a] 

, 

7 7 
a 


~ gmyertia adat® - } 
ra 


> ‘ 
‘ 


ie 
fot, S38 as inaw @ : 


i olan Olyse ahi Tapit un 


yigd oa GS ties hgzidgen 
mtT Sem: $40 77ers ged vobiange 


yoy eras JUGeiaw econ! Lgiyhah Wee sani 


| - is 0 o> | 
wae? soaps wabo loot sends eat 


. | a 
i ; : + are ae 7, . ; oa 
itiod 6 eae ath ante Darga saenipd. on 
Mba: ie aos betes eh des 203. moa? eulst 
1p hi hrs ty SOE} mo: Fossaus on pehdasne 


jay states eeuc Vat Geeier’ of) sacere A te eae 

foga Ge 4 Gs eae Fei eivied wih? ae ne : 

the wi ows ean aaSoaye hi 2 poi neg aaes 2! aot | 

auinthe ig Syke MMMnP AAO 2) Netter shim inn (bes 

boxitah od2 very r {bipons om rea oe tire m 

esos ‘sug cesnauentel shvvws see 
oe ie 


, P 
9 — 


Ao 
6 @ wa 
an - 


out catia ae ‘a P8 e vob bus aie , 7 yoda 
ale oc pens bet surat fers e's be: 21g 


ai aold Be | mies oi) 4 
“i ma | 
hm a he ere “i 


Pie ee haley ae Picts 5 a,” 
: ¥ _ aes . ay igh | mt | th a pesevros 
- mA q ; ; -_ : ; 7 


Pe) 


4 


ee 


multiplication of two numbers cannot be done efficiently; 
gains in speed are realized only when the CRA is used to do 
a large number of consecutive multiplications. 

Modular exponentiation requires that a remainder be 
obtained! afiterseachimultiplicationsoresquarimgzault this 
requirement is strictly adhered to, use of the CRA does not 
make sense because frequent conversion between notations 
will be necessary to Aeanis Banalnocec to be taken. 

There is actually no reason why a remainder must be 
obtained after each multiplication because, as previously 
noted, the remainder is taken to keep the numbers "in a 
manageable range". The range might be redefined so that 
taking the remainder is deferred until a critical size is 
reached. At that time the result would be converted into 
standard notation, collapsed by taking the remainder, 
converted back into residual form, and multiplication and 
squaring could proceed as before. 

Unfortunately, the critical size/collapse approach has 
several deficiencies. Representing numbers up to the 
critical size requires either extra prime moduli or larger 


prime moduli. Consequently, the work done in conversion 


between residue and standard representation increases. This 


increased work factor cancels any gains obtained by 


postponement of division to obtain the remainder. 


80 


ane. o{ hear 7 


papers . “a a fu 
oh of hihs hem 2 
fae 


\ ) . an 
i] : »; & 
te! gateitieatear ah) OE 


; i ne a i 


7 
Pace ui) : 
a ie oP 
1 WEE I0y pew 8 
Wes A264) anand fale yrs >. Jeet vitae Ey 


ovat a0 GP depuis ‘pen a oo Seeks 


raya yetin- Pete ae te ¥ vn e baad 96 ate 
re : a 
In code sesh tei Le 


VOR? RS ae niet mp Ves f 


‘a me 
a - 
| fg J oct Neca she fa - : 
aif 4p bh as + We 66 sGeP an sndttasey nase 
ic ftps eee ope ves he Bh akewien h adn ira of nial , 
., . 7 
Yian2 dd 33 ae en mae | 
seul ADECRGGR ge seal Loe fst) 4i-ip eda” ydodemyercat ww 
. ) an 
Si? 49 Qu at cman Mpzpnskor a8 Sided haa ~~ 
we 4a 
iacie!l oo) klubom ont b pate = EL seein footy 


tale een A ng hae gsc 


Hag 


a, f 
t pubbhiiy Cee 


a2s)° Jeni ort Ad 


Also, the time required to obtain the remainder when the 
eriticalmsize is réached is®also significant. suliethe 
critical size is set to a large value to defer several 
divisions, then the time required to carry out division of a 
number at the critical size will not be inconsequential, 
even uSing a fast division algorithm. 

It appears that more research is required before use of 


PheacRAebecomesepractzcabgin this application. 
(5) The Schonhage-Strassen Algorithm 


This 1S a recursive divide-and-conquer algorithm 
Gequining that ene multiplicands be represented by their 
Fourier Transform. Once the multiplicands are transformed, 
pairs of elements of the vectors obtained by transformation 
aresmultipliedjitogether stosfiorm a result vectors ~The 
resulting vector is transformed to radix notation using the 
Inverse Fourier Tranform and some further manipulation. 

The Schonhage-Strassen Algorithm is asymptotically 
fastertthaneany rother*multiplication algonrthmpcbutmet 
appears to be unsuitable for the multiplication of 512-bit 
numbers. The algorithm is clearly described in Aho, 
Hopcroft, and Ullman[7]; their notation is used throughout 
the following discussion. 

To obtain a 1024-bit result the algorithm requires that 
the 512-bit multiplicands be padded with 0's to make them 
1024-bit numbers before they are transformed using the FFT. 


No problems arise during the processes of transformation, 


, ry), a 
1 Peay, “ 


e In exiatnhy rod | 
oe GT Segoe 


ko See Ep cabbad i 
tee; ee (eral ne 
ante? ay ee od bes pf ee 
ovrresadepeds| ii pe Pent: 
vit Sabsear 2 ral eta 62 
eit? prix i shay phe SFYT Beene uae (ae pease +h: 
adbaigainia ni” Sia 9 cocker ROR | — 
qitew stasis yijlat hing» peony ade 4 j 


ri save), inad . 
sie-ire - Wo ees 
el 


82 


multiplication and inverse transformation until step 4c) in 
Algorithm 7.3 is reached. At this point the numbers 0 and ¢ 
must be multiplied and each is 480 bits long, which is 
obviously not a significant improvement in comparison with 
Enewors ginal 542-bitenumbers- 

The problem lies in the derivation of 0 and ¥, which is 
done in step 4b). wt and ¥ are derived by stringing together 
portions of numbers called u' and v', along with some 
mLervening 0S. ul Jand v’ -areveach: broken into™b: = 32 
Portions, each portion being log7b = 5 bits in Jength.. The 
portions when concatenated have intervening gaps of 0's, 
each gap 2log,b = 10 bits in length. Therefore, 0 and ¥ 
each become 3blog,b = 3(32)(5) = 480 bits long. 

The algorithm is effective for very large multiplicands 
because 3blog.,b for large numbers is comparatively small. 
For instance, with multiplicands of 64K bits, 3blog,b = 6144 
so that 0 and ¥ are each less than 1/10 of the length of the 
Mvictalanil ciplicands )se!OGLeel2—bib multi plhicandse rnus 
reduction factor 1S Still very small So the algorithm is 
inefficient. 

Research is required before the Schonhage-Strassen 
algorithm will become useable in this application. Perhaps 


a method might be devised to obtain the remainder without 


converting into radix notation. 


‘hr a 
. ee Spee 
lave 

& te 6 haa 

au dota’ 2 


ZPvy ove) tambon. 


4 


Gate f, aOR Hyee e@rh Agitne ae Oigna 
tel ad aw, po! silat b: oe) ‘gas vit ol 
pra dysagzal ccd eehne: comes ripits ane 7 
i) hall ig Rees Oh: siqutt ane tate 
af feet ae a iam « | dee! awe ted. qauee 
Lt: $9 ay re an iit = iro seihicoi datas 


Saul teens , a eee , goes Helcaaae 
oG ar aha Mad ‘ Pare) Bee Bibel vane en 
+ ‘ \ 
. at wis de AT Se ep es, 4oee ots “P.b24 6 a 


4 


dd Sitar igh wai eer ES <n9 vomia! tat efor tet 


Temdniniets ae SiimaMiRiNs? 7% in. chenntalh, nos om 


aépa pis gt a etx led tations wi pes 
ete, A ae cad Hinge vi c) ettasiain aa 


euendhs wwe if gh? ae? nyeny, 


“ 7 
he | 


- . 
HA ot a 
te 


~ 
® 


4 


83 


4.4 Approaches that Improve Timing 


4.4.1 Multiplication using the Karatsuba Algorithm 


The KaratsubavAlgorithm (see [153,4y7 ]) finst spublished 
in 1962, uses a simple divide-and-conquer strategy. Two 
integer multiplicands a and b, each consisting of n digits 


(radtxan)> are written as 


a Cr4n/20ae '+Ma, and. 


b 


(Ten 2i.y ete bs. 
The product c=ab is then computed using the Karatsuba 


equat ion 
ema (rAneren/2) ay bamete 4 r4n/ 24a )a, beer (rtn/2) Ga e-anytbe-b.) 


which requires 3 multiplications of n/2-digit numbers, along 
with some adding, subtracting, and shifting. Using the 
Standard multiplication technique 4 multiplications of 
n/2-digit numbers would have to be done, so the Karatsuba 
technique saves approximately 1/4 of the work ordinarily 
done. The equation can be reapplied recursively to each of 
PeSe OP Droducts#) coed fenpissagpower  ofe2euhens(374)9r0q,n of 
the single-digit multiplications are done as would be done 
Heangpehne™standard@algorithm, 1f£ recursion 1s carried to vthe 
point where only single digits are being multiplied. The 
time complexity of the algorithm is O(ntlog,3) or 


approximately O(m+ies9)s 


hrm Se 4 bay a tO re) ms 


“vt Spies pit 


z aL is : 
‘iesh, dD) sa onal — 7 ri 
. ; - ’ M4 De 


Po Achy be 
ene! Gah isthe eh 
Sale “athe 


r 
wheter cdg 


de Oe ny) fiat tah -* “4 A 
| re 
oe et 4 = 
snale..4% 1 ocanearel raee® hi ir - 
oe 
s4¢ grteee yt: An ; 
Rene | a5; a re qi stunt: t's 


e204 ingen e' 2 aa i, 


e! C2 eA view wa pT eee 
se 4 os p 2 = Hoh 
sé 8 a 0 ere: 


9.901 op 2) Cie : 


65> 60 i aa a ra 
od), 63 vrinsds aking ie 


Since use of recursion adds considerable overhead, 
Moenck[4] suggests that standard multiplication be used when 
the numbers to be multiplied are 8 digits long. The 
following algorithm for recursive Karatsuba multiplication 
uses Standard multiplication when the multiplicands are 


"minsize' digits long: 


1. proc recursive karatsuba = (ref()int a,b,result)void: 
2. begin 

Sh i moans =eupb eae sn 7 2esin tear! eb 1a Onb0s 

a. Gi22tn pinteanbi,a0b0-thucagterm: 

5. aie: =ealsien72)- atinsoea tn Z2 len): 

6. Dale te ales aera 0 ee = 2 ates 

Tie tf 7S minsize then Standara multla- beresult) 

Bi else begin 

oe recursive kKaratsnuba(al, pita tbt)- 

Oe recursive karatSuba(a0d,b0,a0b0); 

va Lecursivemkaratsuba (ad teatiebia- hOch1 ud trerm 
2s: shitt tand@add(albi-a0b0, hind Hermfresult) 

hoe end 

14, it 

Po end: 


Even the use of Moenck's idea for limiting recursion 
will provide only marginal improvement in practice. 
However, two ways of applying the Karatsuba technique 
Suggest themselves that will provide significant gains in 


multiplication speed: 
(1) In-line code and, 


(2) Parallel implementation. 


aay tan ad in 
ait? <enet 4 ne 


ned ac qi slow | : i a | 
‘1a 6 ‘das a a La fie conan 
| |  penol ef ten 
iplewtst vee one - salina ae ae 


) ane A 

‘if 53 Sen thas 
5 ae if s.'d'e on 

) ao i | \ishac Chee 

(anbeeni@ ef y(S\e td ws Li 


. 
Miasu'.c faban a ate ads oxtactan = ~~ 4s 
: . siped ands, 


' ay ent 


7 
, 
ce Ad. nnd S824) gyiasocry 7) ee 
phate apy J) MP Re2s! aeisavses 1: oe 
(imped Midge i he Ss) Roy +7 ae Senses 


A stured tate obey (dete, 14!) the Sou: tray 
aa ; ; a : sal 


Ld 
cf 4 
t 


ns i600, 


0 £209 ss ee a ee Si a eet - scoot ea 


* 


ee) | dae» Content: tine 4 


spianset acess mee gl ‘ev sau he et | 
af niog, 2.098] ‘ WOW T) \eciees we 8, 


(1) In-line code. 


Michelman[36] refers to the splitting of multiplicands 
into 8 pieces each before multiplication using the Karatsuba 
technique and states that multiplication then proceeds twice 
acwtast,, including overhead, as with use of standard 
multiplication. This idea is applicable only when the size 
of the multiplicands is known in advance, as in application 
to the RSA cryptosystem. The idea is simply to carry out 
recursion manually to generate an equation that can be used 
in a program. Depending on the size of the multiplicands 
and the machine word size, more than one subroutine may have 
to be written and a cascade of subroutine calls used. 

Thus, on a computer with a hardware 16-bit multiply, to 
multiply two 512-bit numbers an equation is written to split 
the numbers into 32 one-digit pieces; with overhead, 
Mule¢plircation speed 4s improved bya factor of 
approximately 4 compared to standard multiplication because 
35=243 integer multiplications have to be done instead of 
the 327=1024 multiplications done using the standard 
algorithm. 

Aldternatively, the 5ii2-bit multiplicands cangiurctebe 
split into 8 pieces each, and multiplication of these pieces 
can take place using another routine which splits 
multiplicands into 4 pieces each. The first approach, using 
a single routine, provides somewhat faster multiplication 


speed than the second approach, but it requires more bytes 


85 


iyo Sl Beth 


sant dhe ie é 7 
edyest = ‘pas pa. 04 
soihr at Kia ind ” 


bustaare ‘oe vind: te | 
bata wits sete _ Ore eee ola ) Lt tie 
fl a i 
evijecligge mi 4 ecteehhal a " fat sboaakie “a 
tue ¢uien of “gfe ee aah? see yen seoauete a ads aa 
Secu wi eu Jarl ruc Sale ms asia \o? x eur nag a3 7 7 
sbousiigdstuw sA% ae wtiy ots eats : oye conten a 
1a ba 
ie 


evan Vid Sto gor Ren Be) vas pn pA a onda c 
/hoaey a.) b> Sar oe Ne wats: *~ tan Prertts sd 
4 19% rer Ay eotyr on ” ad, fy yay a ioe fd 
sf Le ' 


dae Perey eer es vote NG. dindnad sad-fe? | eee 


bags pene wD 208 Je ib-Ga0. At grak un 


vc 
1s 710g ai a Pa bev i Gaon enivesbte yi a duel 
eeueoss ie) E71 Qh ‘yi iadhin 9 ¢ ei egy ‘ aivsenty ae 34 


iy heeddst asin adel. Y) nte42 MORES ALLE osete 


faghheta Gls pink ae seat ct as pari: ‘ 


: 
(Te 
a 


; ; ay, ay _= 
: ao : 
aed Pry (9 dy? saints bd a -tiavirenvagt J 
As it HS ele . : ; 
, ‘ ' As wy 


meant semi? ie agit 
| - 


86 


etecode toPbecwrittensands retained in memory. 


(2) Parallel Implementation. 


Consideriinesuostomd 1eofethe, recunsiveskaratsuba 
algorithm detailed previously. On a parallel machine the 


following code can be used to replace these three lines: 


on par begin 

Oe recursive karatsuba(a1,b1,a1b1), 

bys recursive karatsuba(a0,b0,a0b0), 

2m recursive karatsuba(a0 - a1,b1 - bO;third term) 
is end; 


Note that the computation done in each of the lines 10, 
11, and 12, 1S independent of the computation done in any 
other line, and that all preliminary computations are 
completed in lines 1 to 8. Clearly, 3tt processors can be 
used to do the computations in lines 9 to 13, where t is the 
depth of recursion desired. 

It should be possible to build a parallel Karatsuba 
multiplier’onva chip. The timescomplexity of such an 
implementation is O((ntlog,3)/(3+t)) which approximates O(n) 
for small n or large t or both. The device may be easier to 


construct than the Willoner Parallel Multiplier. 


peed mre | wee?” ‘nm 


tnse? Syfea Oe tal~ view: | s 
. [i Cae 2 
. mat Rraaee - t | «@) i 
- i ; a P ; a Co \ 7 0 
OT (o@als “Sere 24 reer | &) eho mel ry uid eee Moe 


( d Ae 4% lyr arf: x . pty er 7 

ae f' anee oi +4 gato \ 4d) 33 A4aSdnqabab wi i baa, ‘ ie 

+n Sanod 10 t0dplins {anime WE upe sade Bae pear 49 

7 ; » 7 gone —_—a P (> ae Ee i: 28> ae : 

ee, eee 2 dantt) ni mE) 

Ly =8'\ : io at gob Pe rahe , 

“fd 2) > s2ede,Si-o) # aagte ni anatddenuques oz : 

ts a Oe 2 iO. See 

o bitee <3 slnisacg ed fs 

7 ‘ a - £ © ie a= 

eis oft /qits oho a9l kg 

; YS ee es % 

\itypotiahie af naiads renal adh 
\djet se 4 egal ao & Liew 9 


_ 
- 


4.4.2 The Preconditioned Fast Remainder Algorithm 


a. The Concept 


Bromsbasicemodularearvthmetic, Vf h=  c-ie eke emodeD 

can be obtained by computing 
h mod p = (gx(i mod p) + jx(k mod p)) mod p. 
That is, mod's can be taken at any time. 

The algorithm of this section, the Preconditioned Fast 
Remainder Algorithm or PFRA, exploits this fact. The 
dividend A, which is a digits long, is rewritten as 

Ay (ra Ca=2) ) ot AG 
zis the interval selector. A number of iterations is 
required to compute A mod n and z is set to a different 
value for each iteration. During each iteration 
r+t(a-z) mod n is looked up in a precomputed table, 
multiplied *by A, uSing a fast multiplication algorithm, and 
gacdea to A, to form a result congruent to Alymoden. 
Iteration terminates when the result has the same number of 


digits as n. 
b. Development 


Let A and n be integers of length a and m digits 
respectively. We want to find A mod n. Let a be greater 
than m, and A(p:q) represent the p'th through q'th digits of 


A. A may be represented as the polynomial 


87 


1008 paggeang 39 ta 
tend ae 


aq) tet: (cena eniad eh 

o> teehee) 

4 4 ong tie ses bly Acute AL 

! roathe® 4 vv ie @2 ie e ee pS T | 
Laban ‘ree okay aie setae 

| heer beevmsiap ele ietitrts 
bne eassmaee ae sot pe pisos t7 
i don Aa 

ie. pact ales “ne, 


88 


A(1:2)(r+(a-z)) + A(zt+1:2z)(rt+(a-2z)) +...+ 


A(m-2z+1:m-z) (r+(m+z)) + A(m-zt1:m) (rtm) + A, 


where =2 is the jntenVal selector, 1 is stherradix sanders 
TPeVEecents Phe melow-ordersdig tts. Olly 


A mod n can be obtained as follows: 


(1) If x 2m find the modulus of all the terms of the form 
Gx mee lhateiSspetind=(mitaaz)) @modin, r+ \a-227))) modan 


sy (c+ 6mtz)) tmod'’n; (rim) imod"n? 


(2) Multiply each of the results obtained in step (1) by 
its corresponding portion of A. That is, compute 
Avi: 2) (ra(a-z) mod neal zhi .22) (erla-22z)) emodmn ee aid 


SO. £Orth. 


(3) Add the products obtained at step (2). Add A, to the 


LeESuULte. 


(4) If the result in step (3) has more digits than n go to 


step (1), otherwise stop. 


Eventually the result will be m digits long. At that 
point if the result is still larger than the modulus 
standard division by n can be*carried out tovobtain the 
final®nvesult? thesdivisionewillitake bittlestame since tthe 


dividend and the modulus will be the same length. 


#10) By 3 aera e meth i 
Y bee Ciat- aren) yt tee 1 
i (Sy don heaved 


‘1, 
qa 4) ghtw 2 edaltuagy aasvews 


eaves ok: SA ANG NSN 
bag, .¢ tery i iis me 


72 op 4 Age? azigth | 


rena gh », ool Ppp tiveet, ate risa te: 


wu ition iia eo ilive eb 2 


89 


If the same modulus n is used repeatedly, as is the case 
in encipherment of a message by modular exponentiation, the 
values required in (1) can be precomputed, placed in a 
table, and used as required. Each entry in the table will 
be approximately m digits in length. 

ROrsexample, sletzA@se 36502956. En =N2657%@an= SF mye—e4- 
ands Za=w2. 
ibm DSemodins=16828110+* mod mm =9572. 


WaoeeeRewrite A (ase (36)x 10" 530) x104 922956 7macompute 
(6) <(632)R=822752F8 (30 )o1057 2) ea 8 7 te: 


(Symecompute Al 9= 22/752) + 171600492956 =0 42060. 


C4) 842668 has 5 digits and’ n has 4, so iterate. 


Gipemi ce Bmodent="5/2e (already computed). 


(2) @RRewuiteba's’ast® (4) x10* 7 te 28686" Compute 44) xt572)e- 
Zeou. 


(compute Al = 226882 20600= 5156, 


(4) A'™' and n have the same*number of digits so stop. 


Since A'' is greater than n, standard division can now 
be used to obtain the final answer, 442. 

PE Avistavilargetntmberfand zeis®chosehm correctly a fast 
Mmiuletoimcation algorithm can, besused to carry outsthe 
multiplications at step (2), reducing the time complexity of 
finding the remainder. The problem is to choose z such that 
at step (4) of every iteration the result has fewer digits 


than at step (1) and to make the choice optimal. 


oT hee 


Jeet co YSESerras oS 


ai yee aie 


et 


, i 


ibrw ‘tas ccd bil > 


+s tien ee : 
ae patie 


ive <7 bem: ee “a be eof 


* dimeie” ae 2 60s iit) + Aprutaes as cet 8 
“ ieiita v MSFevetaee Pausrs.« a0 iartaee 

7 Sate = : Peay > wil Cae SeTs Fala sduqnad hy) 
eouis 2a hi Lavage wii! as mine aed, wage ry 


~ i 
ca ie ungema= oct oty: eon : hon. ‘of @ 


teh nyyee tees . ow a | ease - 


- 
t he 


- Jaa eat, + PIER > epee er) 
Qete uf ‘tb eae etas whe wens a aa bs er | 
y at 
i 
wun Aug 223306 ate 46 ees eile A eh cama ; 


oe 
pus Enat ony: "alactae’ ai 


ok Ps is tadant epyet ve ir 
aay tuo bdiale 2+ 2 Bd: eq penne 70; 


ce 


vag 
‘e 


ei 
or fit r= et 


o Lia aac emg by wb ee J ye. by. 
egianye ws ae ree 


90 


If z is chosen to be (a - m)/2, where a is the number of 
digits in A at the beginning of each iteration, a polynomial 
for A can be derived that is quite good and perhaps optimal. 

REVA Us tinitiadl ye2medi guesarastenumodulan 
exponentiation, another way of expressing z is as z = 
m/(2*i), at the ith iteration. With this choice of Area 
will always be split into 3 parts at step (2) of every 


MEeLat1 OM, Gals tiollows: 
A(1:z)(rt+(a-z)) + A(z+1:2z) (rtm) + A,. 


Note that in the second term replacement of '(rt+m)' by a 
table entry is simply replacement of an m-digit number by 
another m-digit number and is of no value. Therefore, we 
recommend that A be split into just 2 parts at the beginning 


of each iteration: 
AGE 2 ikon Gaaz )\) eeeAre 


This split requires just one table entry for each iteration. 
Now, consider what happens to a 2m-digit A if zis 
chosen as above. On the first iteration z = m/2, so A is 


split as: 
RG om7 2) rem 2 ) Je Arar 


After multiplication and addition we get a 3m/2-digit 


result. On the second iteration A is split as: 


A(1:m/4)(r+(5m/4)) + Ay 


tara oad ta és 


rs ) anti 7 aia vi a a » i a 
= 5 On Bt i Ones ay 3 / oi: 7 i" 
aie - cal 


ins Sa, (PD eg Cial steed i a 
| Pai oa Tewolio’ 7 noi dia! 


om 
48, 2 ine eh ‘1A ‘feiss viata i. 


avd are’ he alia ae aging 3 gre BW: L 

i sedeou Bic liee aa to d4anevatiea 'qlanie el que 

au yt ane ays neta @ is Joerhieati digitre 
<i) din Seyi) eh pat eee ia’ Od i74, Aloe sd hight ve 


toes met Sot | 


ae v * : ha \ 


er eee We 4 


a 
iqa al 


lisse: iy dae vot putes eae fail contuped re 


od ve 
ee) , uaueggad tai rebibabo> 4 
‘ei A 32 tan * “2. 416 a 


vi 2 yin - pehcai aces <n pat 


on ar , 6: 


to obtain a 5m/4-digit result at step (4). In other words, 
at step (4) of every iteration we have an 

m+ (m/(2ti))-digit result. Since m/(2t+i) becomes small 
rapidly, only a few iterations are required to collapse a 
2ZMad1gie number-s intact, thesnumber of iterations, sand 
elerresmine the table, 1S Vog.m. 

Let P be some multiplication algorithm which takes time 
Mim,m) to multiply m-digit numbers. Bet k be the ratio 
Munim )/M(m/ 25 m/2) eee het RC2mym)® be sthe time takensteoetond 
the remainder of a 2m-digit number when divided by an 
m-digit number using the PFRA with a multiplication 


algorithm P used at step (2). Then, 


Room wma Mir) (27 ke be 4/0 ee ew ee) 
<(M(im, 1)er—e (ifiP ==standardialgorithms k@<=4) 
<) 2M(nm)e co (lf P =" Karatsubamalgorithm: theses) 


€ goes to zero asymptotically, so in this application it 
will be small since m is Varge. Therefore, in application 
to modular exponentiation, the PFRA will find remainders in 
less than twice the time to multiply or square c, if the 


Karatsuba algorithm is used to multiply at step (2). 


y Actually k is not constant for a particular algorithm P, 
but rises asymptotically tomas limit. Thus, @h-49ein sicoe 
limit for the standard multiplication algorithm but is 
actually 3.96 if m=80 is ‘substituted in (the) timing 
formula for  mUltiplicabion —G1Ven nesCheapler ei iree 


(footnote, Section 3.4.1). 


O70 


eo 43 Daas - : ‘ 
o% ae oe “e ae : 
7 T a er gl 
BOW, Ae 
RY 7 -) 
7 at ty bows “ue at 4.0 rs \a pet 
ie 


7 : Wns J oc 
ma ots 

7 
fos & ber pes ah io 
nl ee t2@ 


(7% Py b a) ee mt 19) 
i o- pee a 
' : ar 7 Liat ‘- 


a0 oe eno 7 me 
}, GSE may Ys ele, wren %s gm «@ 


I 


t - = om } . } wet ‘ 7 bila 


om 'f " amie to ; 
lay , > 5 a Ae 
rY ay 
44 aes 
a 7 
4 ‘ : , 
, : 


A 
ee a | Lae © 
ert) a ree 
.% - 7 
"4 


ras on 7 wodaet 


7.) pee i. is 
i | “s , 
Loge | 
- ‘ 


14) “ste te 


( abe Iie ve ot amis 
oe re : 
stun 0: bei 


c. The Algorithm 


Algorithm 4.1 is the Preconditioned Fast Remainder 
Algorithm; we provide a small example to illustrate its 
operation. 

Assume that “a@—isti¢ Gigitstin Vength andsthemmoculus 9 
is 8 digits long. Assume a precomputed table of terms of 
the form (rtx) mod n with each table entry being 8 digits 
Tonge @hucther assume that ‘a’ “is to be collapsed until it 


PSeOedigivts in length; “that 1s, the varvable limit ™ is eset 


£076 

Vile es pimateis entered withBia’® andtllimiit yagiSincert6.— 3 
the loop is entered. 

(2) ‘collapse' is called with 'a' and a pointer to the 
first table entry. ‘'z' is computed as even((16-8)/2) = 
4. (even is a function that returns the nearest even 


number to a given real; this is done for convenience 
since some fast multiplication algorithms, such as the 
Karatsuba algorithm, require multiplicands with an even 


number of digits.) 


Gajees’collapse’ is entered. The low-order yi 2edigitssot esas 
aresplaced=ine a0 “Lemporaraly (ime; aces a CSG ee 
'mhote' is called with 'a(1:4)' and the first table 


entry as parameters. 


Sie 


+h i ; - 
 - 7 
* oo leo ate inva ceevl a ao: Sigtb el) et ‘nt 
; ‘ ¥ _ : ; a 
paying 4 


is Bode? Jo. oleae st 7 
o21g0h @ ened vraes vides par ' 
$i Tieng teegetion adios 2 ‘at, 


, 
7 ; ; . = 
$68 “Gieli"® mia hey iS zs 
i 2 > y 


‘ » : ; : Ot 


7 
P SAV va es a Sob Fe 
Snel” “eR! bad "pt daly beabdnw Ray torte 
bs the ieee san ai ape. 


Teh ive 4 } gS 
ie ©) “Myidlad. 5 : bin rw aie vente el, ‘nado t ba 


» iB iG | mare ee, bo mgm 2. 8 Ae vite: se7!h, 
neva feeTeeo gf3 owiie Ad aorzanya & af wae) ‘ o 


Vises wel eof ie tia ) 
RAV Se i 
tata iam reat = = oir 
= 4 7 


yi 


io 


a 
‘ 


eel 


i. a tigth te or 


634 « 


La 
‘s ‘oh aaa var RaT—280 at Bic 


ao a 
od 
; 
-_ 
i 
- 
. 


; ie ie inn 
ath ion * 


sa’ 


tipo dat ni anf t binge 
al ) 


'ms' or 'multiply and shift' multiplies two integers 
a and b, both the same length, using 'fast mult’. 
The result is shifted left by 'shift' digits and 
returned in the result vector 'r', which must be 


long enough. 'zero' is a routine that zeroes out a 
VeELOr. 


co 


proc ms = (ref()int a,b,r,ref int shift)void: 
begin 


zero(r); 


r(upb r-shift-2*upb a:upb r-shift) := fastmult(a,b) 


end; 


Algorithm 4.1a. 'ms' 


"mhote' or ‘multiply high order and table entry' 
multiplies a z-digit number ('ho') with a table 
entry indexed by 'te'. The table is assumed globally 
available. ©!getite.gqroup’ obtains thesgithsqroup of z 
digits from the table entry. Table entries must be 
multiples” oOf-z digits, intlength? 

co 


proc mhote =" (ref()inteho, chintete) voids 
begin 
Mrtez = Upbehomaohir tyes 1? 
Mieupb rt) inteniemsero Ur eZ eroundi)r. 
Qjezjunt telquoup; 


forlsiefrom (upb tableire)ai/z by isto 
do 


get te group(te group,table(te),1,z); 
me(temquoup, hofripshittes r= hiie 
add (rer ers) 


od 


Algorithm 4.1b. 'mhote' 


y3 


sshd ‘ord ont 16) gman Tee Oa 3 
epstnd ow [ pai. hw. aah i » os ip +ip 7 
ie bagi ” » Sab ) WIRES: oB ee ‘7 

. ra a Bs + : ee A : 

E 4 2 od tpi tt ia he * ee we ‘ ado ak 


ad Deas ide 
en aes C: oot 


he ee a ‘eee 


ile 


( ey ¢ 
: on ; 2 ad 
OD iP AL i : 
i ee i} 7 ‘ie bi ay cy : 1 
; ‘ - 7 
:beowt 43 ted 1.3 & ay ‘ d, # 4 Ii to - m 3¢ 
’ Chalial alibi bas die ier 1d aman) Xe . ects * 
‘ Kevin: if ; - 
; {vas way 7 ; 
i U sad. 
SM OPP, a 
5 7 LL ‘ 5% ; +3 i i“? rel Ey ies 
Lov 
} : ‘ i 7 ‘. 
] Le a - 
{ Mel. 7 
ea amd SaaS Binet bie eg : 
‘7 
' + » 
~*~ a8 ws ' 
f 
a - pareaps insane hatiarl niin oetiatiaiallaty Cieedin' 
j sha ‘ | 
. } id ; 
mF | : av 
ee: o oat % 
p borers, en si@esi bn? 
r , =o hy 
cath, WL agate! eens aia ihe. 
” sd 7 4 7 ¢ ¥ 4 
| fc ; ie 


. re he sil ; 
age {iS oves (4a ane! 


| HL iaaa 
| Fa sa ie ae 
O92 


ae Se] 


an 
' of t- gh ag forry Gés dau 7 
; : re ; a i vw 


‘cOllapse' extracts the high-order 'z' digits of ‘a’ 
the number to be collapsed, and multiplies them with 
a stable entny indexed by “tel. Ttvaddsstherresulture 
'a0', the low-order digits of a, and returns the 
fimal=collapsed result in vay. 


iy 


co 
proc collapse = (ref()int a,ref int z,te)void: 


begin 
Gisupbva)inteads 1s) zero(a0) mzero ur. 
a0. Cz upbeayie: ama lz cUupb ea) 


mhote(a(1:z),r,te); 
zero(a); 
Yolo (eta) ie F\)) 


end; 


Algorithm 4.1c. 'collapse' 


'pfra' or the ‘preconditioned fast remainder 
algorithm’ collapses the number ‘a' until it is 
"Linrt' digits in@lengsh¥ ikicetez’ computes: the 
interval selector 'z' by computing 
EVEN((length(a)-m)/2), where EVEN returns the nearest 
even number to a given real. 'length' is a function 
that determines the number of significant digits in 
(i.e., not counting high-order zeroes). 
'te' indexes into the precomputed table. 


Porm proc piraa= sore) intec limi ty).Vvoids: 
27. begin 
intez te. =O, empl ea + 


while length(a) > limit 
do 
Collapse(a,2 c= det zia,m), te t= 91) 


Algorithm 4.1d. 'pfra' 


94 


rel 


so 


wong 129 o Come ahi 


*axaltie Bhd Tilson: 
Thy VIPAT |) 
thts - w ieithwenies BLE RE ae - 7 


Pe 


i ye he He ge pease od Uy 
Vi thite YF hsinst ya mous i hace Ri 


| os ab seal oltre zene ve tat Poort tna Pea | 


Jeeta Bd3 wey oni vtaei is S\ Gand) error t 
| i740. A "al eh oe 4 mtig @ er. W agsve i i 
Lat @edigte, sonal siiy i fhe “pein ot: Rea | ted3) | 
| tvoamas 346 A orianuas 200) ¢e@ek bh.tat 6 
| ; bet beaver wit ogni 29% tee? of 


” @ re. 
ri r 


r 
reine a i tnd | Nhe) * ‘aie a <e 
ha * 
| 4 ‘seen =m ie *! ad va i Bs 
Jy Peet = Uallaones ht oe 


(t me we i 00. at cosiaeatiane 
| AA gh! Aes 


5 


(4) ‘mhote'’ is entered. 'a(i:4)' is multiplied by the 
table entry, requiring the loop to be iterated 4 times. 
MmS"tis Used)to carry oUt multiplications, with 
shifting as necessary. 'mhote' returns with a 12- or 


iegargrel resulktiwe' ois. 


pope cO’lapse” adds “r' to 'a0'y) eyielding al2-some ts digi 


BeSuLe whichevSeplacedutnm.a w, 


(6)e Stneeabal’ Biskstish] Siongemsthan (Gadi gutemmsteps 1 )mato 


(5) above are repeated with the new ‘a'. 


Eventually the algorithm terminates with 'a' 8 digits long. 
4.5 Conclusion 


Using the improved algorithms developed, modular 
exponentiation can be done in the following way ona 16-bit 
micnhoprocessor: “Assume that: the routines \K32%digies’, ‘Kié 
Guo nesmnm KS digits! eiK4adrgutsh, €andg@ik2 digitserane 
available. These routines multiply two numbers by first 
Presmingetneminto 32,0116, 6o;e+ Olsen DieceGmresDeclavely, 
depending on the lengths of the multiplicands. Assume a key 


Giesit2 rbres. 


(1) The routine 'K32 digits' is used for multiplication. 
The result of each multiplication is a 1024-bit, or 
64-digit (radix 2°°), number. Recall that this 


requires 243 integer multiplications to be done. 


ib | ‘> apa xe tay IBS nats 


vation 
S4a°o" @ AB “em 
Orr,’ .,einds oe - 


qior, 228 @oF 
Gee G aah. 5 


(2) To obtain the remainder after multiplication the PFRA 
CallseuKiO@di gi tsietwice,  iKSedigitsWemtimess UK4 
digits’. 87fimesj@and wK2edigits'M@6e"timess. The integer 
thateis leftuatterstheselicalls ais s4edigutcmlong amr 
Standard division is used to reduce the result to 32 
agrgqries, ore ol2ebits. Counce ing onl yechemcina led ga. 
multiplications that must be done to obtain the 
remainder and not considering overhead, we see that 
Standard division takes 32? = 1024 integer 
multiplications, whereas the PFRA will use 
approximately 450 if used in conjunction with standard 


division when 'a' gets small. 


Therefore, the total work to do a multiplication and to 
obtain the remainder is 243+450 or approximately 700 integer 
multiplications, which is about one third of the number that 
must be done using the standard algorithms. In other words, 
aetactoOr Of improvement of; slightly Tessethan 2 over 
Michelman's implementation can be expected (if overhead is 
included), justifying our earlier assumptions in Chapter 
Three. 

Finally, recall (from Chapter Three) that thesusesor 
modular exponentiation for prime generation differs from its 
use for encryption in that the modulus changes frequently. 
Since the PFRA requires that a table be constructed and used 
for some time it would appear that prime number generation 


cannot be done using the PFRA. It is possible, however, to 


96 


= 


ees 
OAD pot 
_ 


- 


a 
- 
P bof nhs 


1D 


700 oj : fl » MO o se 
iA 4 fee a" { = +2 
% 7. 4 7 Z 
feag pid “a* iaedy 
5 Vy ne 7 
= ae yee 7 
a , a \ 4) ad ae a wel oie, ; es N 
ad tq > 4b Vestas al 2904 Lea 
- ae ? : -_ 
S t a. doles 7 <P 2 3 4 i 
i” y visa tam of 22 edt ord 
ad 2iuh yilaeps ba to soeeave 
- i os _e ' - 
i: Q @ swo ncisedne 
: ‘ 
sie 


¥ 
Se a 


a 
’ “et? 
ve papa 
a 7 ’ _ 7 
7 7 A 


use a dynamic table for the purpose of prime generation in 
which the entries are decremented as the modulus is 


incremented. This should be easily implemented. 


oF 


Summary and Conclusions 


It has been observed on numerous occasions that access 
to information will gain importance in the society of the 
future; if this «is true then the converse is also true: that 
non-access to information by unauthorized persons will 
become increasingly important. Therefore, it may be 
expected that with the anticipated rapid increase in the use 
of personal computers in the years to come that a secure 
personal communications network will find wide application. 
People will vote, conduct business, and send unforgeable 
mail electronically in the privacy of their home or office. 

This thesis has shown that it is now possible to build 
an inexpensive, microprocessor-based, public-key secure 
communications and authentication network. A protocol has 
been outlined wherein network users generate their own 
keypairs and, because of this distributed key generation, 
they are protected against forgeries and active use of a 
stolen or lost secret key. It has been shown that the 
channel capacity and key generation speed of such a network 
may be acceptable for some interpersonal applications if the 
latest microprocessors are used, incorporating algorithms 
described in the thesis. 

The actual implementation of the proposed network will 
take some time and effort. Although some of the necessary 
software has been implemented in a high-level language, 


there is much work left to do in rewriting RSACRYPT into the 


98 


_- ition apis 
ai Voi youtooe 30] iad : 


sadly quad cbt ef een 02 ic eae 
thin anooueg 

$0 ym fi one 

ogu add PE senatzart Blea, 
weak A T4608 Somes Brtey sho 
ti tat Viggh bie adage cw #208 

sit dep yin age’ bea keer em 
oortio we aed ROPE SERA GLO iP 
obiat 22\ndy ete an ae HM +o ant “eh 
3 woe dgdsad (erg «oahu 214 

cost aera oo » nae lie ibs taaasied ‘re, 
owe es te anesvidg Serb oivden ntaneay & 


, O27 07008 > 


6 te sae ol Soa) hh 

au vere oegfe 
s70NTIN a gopa an’ 
od? 42 encipans HQ, 


- ent ok on 
y ori i a aa 7 


99 


assembly language of the microcomputer to be used, 
implementation of the algorithms described in Chapter Four, 
implementation of the software needed by the key 
distribution center, and design and implementation of 
Softwarestotallow mail facilities, 

If it should be decided that the proposed network be 
built we recommend that work proceed, in parallel with 
software implementation, on the design of an improved serial 
algorithm for even faster modular exponentation. We expect 
that the algorithms described in this thesis for 
multiplication and finding the remainder of a division are 
not thewlast word intwhattcould*bevtdone:*iteis not 
far-fetched to believe that a truly real-time 
microprocessor-based network might be built, in which people 
would communicate at 60 words per minute or more. 

Another interesting topic for further research is the 
construction of a parallel Karatsuba multiplier. Such a 
device would have application in areas outside cryptography, 
particularly if it were inexpensive. It might be designed 
to permit the addition of components at any time, thus 
allowing the user to set multiplication speed at the level 


desired. 


a 


ciate dat a ; 
~ oe ee Ae 


ae Tee aie » 


1 “8 ebeade apie at 
es | 
sole abt ge indie iil via a 
1 aks shgee gidat 4s indo 
eladery Asedy at | | ah Fal Se» "ders okay ' 
/ aoa Fo.» i crane oa Ake 
eds ee sori al aot: dad’ | 
* ton ahs * 
“ope reieqyss @)iadeh ae 
bong dent tanh seta: tT a 
Bint? ee. 


level pite-ta 


Co 


[2] 


se 


[4] 


[5] 


[6] 


[7] 


[8] 


[o] 


[10] 


Raa 


[12] 


[ais 


References 


AHO} A. Vee Usb CDeCGLOLE wand J.D aU Wl maneen) He Design 


Se dB ALS of Computer Algorithms, Addison-Wesley, 


Beker? HvJS; = Security@in angblectronic?mundsmransrer 


syotem), Thformat |OnsPRivacy;, vole 2, noses.) Sept. 1980 
(8 Refs) 


BEIGhUP SHES. fandeRiL. 98 Enrson se 100asi-zRandom Number 
Sequences from a Long-~Period TLP Generator with Remarks 
on Applications to Cryptography", Computing 

SURBVEVS, EV0Ol le I, SNo? B47 eDechat979e G4 dmRets) 


BRoghty, HS s fand@rel. = Enison es icryprography.usi nag 
Modular Software Elements", Proc. AFIPS NCC, Vol. 45, 
ASEPSSePress, AntingtonmmvareDD) |.Jaicsmamigs 6 


Cabay, S., Personal Communication, University of 
Alberta, May 1981 


Ghaum, Dob., -"Untraceable* Electronic’ Marl, Return 
Addresses and Digital Pseudonyms", Communications of 
thesACM, Vol. 24) No. 92, Feb. 1981- (5s)Refs) 


Daviess Diw. -anad@DGAt Bebe ll hi EProtecticn tovebDatas by 
Cryptography ~Aeinfsormat jonsPrivacy,; Volrez, No. 3, eMay 
1980 (3 Refs) 


Davies. DeWe, .W. LDP UPaice FandeGminigeParkinepeltevatuation 
of Public-Key Cryptosystems", Information Privacy, Vol. 
PNG. 4) “July ei O60r GivweRens,) 


Denning, D., "Secure Personal Computing in an Insecure 
Network", Communications of the ACM, Vol. 20, No. 7, 
July 1977 (31 Refs) 


Denning s,eD. sand@2) *eDenmingyeeCentibrcation of sPrograms 
for Secure Information Flow", Communications of the 
AGCM@EVGOE. 20, NOWOT Pauly. 19772 (31 BReES) 


Denning Derand =a) Wenning; PDavawsecurni vy a) (Compu ning 
SORVEVS7 VOlLMEIIy INOwc ;mecepL.. 1979 0M Rers) 


Duhhie Ww. andeMVn. Srtieliman, aiNew Directions in 
Cryptography", IEEE Transactions on Information 
Pheory VOU. Li=22) (NOs scye Noy mmc? OmalaRe lS) 


Holer) Di tandParontavacy MOnevhesSectnityror Pubiic-key 


Protocols", Stanford University, STAN-CS-81-854, May 
1981 (Abstract) 


100 


ry Cae 
m, +m repos 


ne ojed soug? cma 
sv re 


strsiaia : 


hl oo 


shed! chic te Do | 
wa *3 engl 


ae eyeh ata 


ie Mokonth a fee 


Grl hewn, ae te 
denen roe 


[14] 


[15] 
[16] 


ea 


[18] 


es 


[20] 


Pa 


L224 


(233) 


[24] 


[25] 


[26] 


(27) 


101 


Fabry, R.S., "Capability-Based Addressing", 
Communi Cate onss ofa thes ACMen Volel 197] Noe age 
JUL yYe19748 (N65Re£s) 


Feistel, H., "Cryptography and Computer Privacy", 
Scientific American, Vol. 228, No.5, May 1973 


Fenton, J.S., "Memoryless Subsystems", The Computer 
Jeuppal, Nowe 17k Note 2eadane US7em@erets) 


Gardner;iM., “A New Kind of (Ciphers That Would Take 


Milivons of Years) to Break") Scientific Amenicanaivol- 
236, No. 8, Aug. 1978 


Gordon, J... Use of Intractable Problems sin 
Cnyptography!, nrormmations PRaivacye@ vole (2G No >, 
Septned 9808 (G0 Refs) 


Graham, Gis..and Ps Denning, “Protection. = Principles 
andpPractice!, Proc! 1972, 4EIPSsSprinosvt= BGonpater 
GOnGan VOle” 408 APRIPS! Presspe Montvale: Neda. G20NRers) 


Greguras, F., "Corporate EFT: Vulnerabilities and Other 
Audit Considerations", Information Privacy, Vol. 3, No. 
3, May 1981 (0 Refs) 


Hellman, M.E., "An Extension of the Shannon Theory 
Approach:to Cryptography’, IEEE Transactions*on 
Lntormati onmi-heory is. Voli as ETs235 “NOoISGEPMayanS77 iS 
Refs) 


Hellman, M.E., "Security in Communication Networks", 
National Computer Conference, 1978 (18 Refs) 


Hellman, M.E., "The Mathematics of Public-Key 
Cryptography”, ScientigiaGAmerl€anyeavcole 2417 3No. <2; 
Aug. 1979 (4 Refs) 


Hindin, H.J., "LSI-Based Encryption Discourages the 
Data Thiel EBleCEronics, ouner 2i, micc2 


Horowitz, E., "Modular Arithmetic and Finite Field 
Theory: A Tutorial", Proceedings of the Second 
Symposium on Symbolic and Algebraic Manipulation, Mar. 
1971 (22 Refs) 


Kahn, D., The Code Breakers: The Story of Secret 
Writing, MacMillan, New York, 1967 


Kamp. 008. amd G.1.e) Davi dagmiStuveturedsbesagqnect 
Substitution-Permutation Encryption Networks", IEEE 
Transactions on Computers, Vol. c-28, No. 10, Oct. 1979 


on tn ie tG - whe tank 
ve Ser: Mh oe Sat Bt 
bptea Ox) ye a sAae3s «OP le: 4 e 


© 5 aal ee 


cok) bog. Oadby ad aida DSS ewe > 13 108 | 
am wh fav bene e srt} snF sa (ar: 
Pyikepea a ee 7 
Garr ge Cay ‘tea’ ia i ae ae 
Sinai imal ses Of) 
4 vty \ og « i an re 
a View 
. "24 5enesr oo 36 46 el cate 
ne become 


fool lie 4a gah oot?) a 
1% «Ol oVet .iat ~~ ‘oe 


[28] 
[29] 
[30] 


[3] 


eed 
[33] 
[34] 
[53 
[36] 


37] 


[38] 


[39] 


[40] 


[41] 


Kline, C.S.and'G.J.) Popek, "Public=Key ws. 
Conventional-Key Encryption", AFIPS National Computer 
Conference Proceedings, New York, N.Y., Vol. 48, June 
ara eee97 9) Cus Rets) 


Knuth, D.E., The Art of Computer Programming, Vol. 2: 
Semi-Numerical Algorithms, Addison-Wesley, 1971 


Lampson, B.W., "A Note on the Confinement Problem", 
Communications of the ACM, Vol. 16, No. 10, 
OC oy 3 


Eempel aA ., G.Gryprologyimin Transition”, Computing 
Surveys, Vol.i11, No.4, Dec. 1979 (47 Refs) 


Lennon, R.E., "Cryptography Architecture for 
Information Security", IBM Systems Journal, 
NO PING 28 1078 en (ouReE ps) 


Levinson, S.E. and M.Y. Liberman, "Speech Recognition 
by Computer", Scientific American, Vol. 244, No. 4, 
April 198) i(25Rets) 


Merkle, R.C., "Secure Communications Over Insecure 
Channels", Communications of the ACM, Vol. 21, No. 4, 
April 1978 (7 Refs) 


Merkle, R.C. and M.E. Hellman, "Hiding Information and 
Signatures in Trapdoor Knapsacks", IEEE Trans. Inf. 
TeCOnVs, Wl TTs24 5 No eto * Sept. M1978 G04 eRets) 


Michelman, E.H., "The Design and Operation of 
Public-Key Cryptosystems", AFIPS NCC Proceedings, New 
York eeN&Yn, Volo 48 ,asuner4<75,, 979) G3 *Retis)) 


Moenck, R.T.., "Practical Fast) Polynomial 
Multiplication", Proceedings of the 1976 
Symposium on Symbolic and Algebraic Computation, 
1976 (20 Refs) 


Nelson, J., "The Development of Commercial Cryptosystem 
Standards", Gryptologiay Vol. 4,5No., 47 0ct.. | SG0R(> 
Refs) 


Needham, R. and M. Schroeder, "Security and 
Authentication in Large Networks of Computers", 
Communications of the ACM, Vol.21, 

NG here DEC 19.7.5 


Popeky G. and €. (Kline; "Encryption and Secure 
Computer Networks", Computing Surveys, Vol. 11, No. 4, 
Dec. 1979 (48 Refs) 


Rivest, R.L., "Remarks on a Proposed Cryptanalytic 


102 


i a as eqns 
1% 7 et. ahd) 
} 7 - a ‘a * . se ak 


Be rio 
(2-4 O8 Oss | 


oe ae 
erie ie ~ ase sapet o —s eh 


pian ty, 0) eee Leauge a 


en aw hoe, wag teed 
ee. me a | tage haces an 


hae cuteness 


| wer 
1k | eee mie 


(a9 Nr’ pT) 


id wabs ea, Tae tee] 
1%: <p ores i‘: ee ‘ . _ - 
(tee. 82, ! 7a ; patel phaee a 7 
ay oh & 
4 jant spent . sonaat Tse) az 
wero’. »"he ifesals : 


oii aeemoes | er iSaaah ae o 


Te Part 
ave aie eS cogataa 18 ae pis 


ie 


i 7 


[42] 


[43] 


[44] 


[45] 


[46] 


[47] 


[48] 


[49] 


[50] 


[51] 


103 


Attack on the MIT Public-Key Cryptosystem", 
Cry ptologiabeyows: 2. No .an  Ssaneedicns 


Rivest, R.L., A. Shamir and L. Adleman, "A Method for 
Obtaining Digital Signatures and Public-Key 


Cryptosystems", MIT Technical Report, MIT/LCS/Tm-82, 
ADs | O/T MsieRees) 


Shamir, As,. (How to Share: aeSecret  ) Commi) callonseOr 
UMEUACMT EV CII 22) NO a Ieee Nove 49758 (Shretsh 


Shankar, K.S., "The Total Computer Security Problem: An 
Overview", COMPUTER, June 1977 


Shannon, C.E., “Communication Theory of Secrecy 
Systems", Bel] System Technical Journal, 
VO OC tml o 49° 6 56— 705 


Simmons, G.J., "Symmetric and Asymmetric Encryption", 
Computing SUPVeEVSFAVOILE1NF No. 146, 8Dec? 91979 
(67 Refs) 


Simmons, G.J. and M.J. Norris, "Preliminary Comments 
on the MIT Public-Key Cryptosystem", Cryptologia, Vol. 
PPReN Gee) OC te O7 eet OO asia 


Sugarman, R., "On Folling =Computers Grime, leer 
Spectrum, July 1979 


Whiteside, T., "Annals of Crime: Dead Souls in the 
Computer", New Yorker, Aug. 22, 1977 


Williams, D. and H.J. Hindin, “Can Software Do 
ENGEyptron dob? Meee] eclronics, Jubye3, 4960 


Willoner, R.G., "On the Design of a Parallel Arithmetic 
Unit", Ph.D. Thesis, University of Alberta, Fall 1980 
(59 Refs) 


aa. 
a ae 7 


ith 
Tae 


7 
7 


> i ‘ 
‘ey ® * . - y 
wits wi nee bie ad spe ay i 
oft al 
° Taga wae nin 
renee Wan 


ASTIA fel 
o6 rie 


lg cee 


Appendix 1 - An Example of DES 


In what follows we show how DES (the 'Data Encryption 
Standard') encrypts and decrypts information, to provide 
some intuitive understanding of the algorithm. Obviously, 
Since wDEStworks with blocks of 8 characters or 64 bits ata 
time and puts each block through 16 rounds of bit-shuffling, 
it would be tedious to work an example of the full operation 
of the algorithm. Therefore, this example will show the 
Operation of a condensed version of the algorithm by working 
with a reduced alphabet, by defining a byte as being only 4 
bitseglong;, andeby putting®a block through onlye2erounds of 


bueashuse ling? 
A.1 Preliminaries 


The alphabet that is used has only 16 characters, each 
character therefore needing only 4 bits to represent it. It 
is a meaningless alphabet as defined by the following 
Sunrngiwe 0 1T23EYABCDUSHKRT (ye ‘Phepbittrepreseitat nensutorpthe 
characters in the string range consecutively from 0000, for 
LOomeroed iiuke. Lome Ty. 

Aseipehappens, Lit lis epesstrble Stojspeblyatyleastguwo 
words with the above alphabet: 'DATAKEY' and 'SACHARUK'. 
'DATAKEY' consists of 7 characters and therefore 28 bits and 
will be used as the initial encryption key in the example to 
follow. ‘SACHARUK' consistseofs8 characters one32 bits and 


is the plaintext message that will be encrypted and 


104 


nok say ani sina! sda 4 


, a 
~ 4 
shiveasg 
ern 
vo 
4 
‘ ita 
is 


: ro 
65 ry iH od wo) | qlevi In0¢ 


Mi 
| 


7" 


on fold ain veka 


« 


| Ti 
id Jo ebro 8}, quod A ra doe 7 
‘ud sitd Je oem Ba4 ne 4 a 3 Bud thing 


ble te ie. 


a le 


Niay ota Nien i a, 


pone a4 i 


wa) hzo be sami 6) 


sofd ain a 


* ay ae uv oe on 


oe + 
ea ; 
2 pea ai 


a + 
Ditw alge’ ei arate at ‘at 


3 ne . eee 
oi, ate: ae noise. | LEB 78 96 i a2 


~~ 


’ f 
eh 7 qc m ye | be } <@ 5 isl gis be 
“fe Ne 1p. ae $oe i pany, 
‘eliho Ayame mete. footed ea nbs sry yd 


Pi; y as 


; ' - Ry ; 
| | | i \ { \ j 
¢ a mn 
: he ’ ae 
| pn ait 
i : | . th : i y 


ojarto 2 ytlae es oA beau ai ders 


ji pa 


‘ane {no onl heen 2162 S 
f : ; li , | ae i 
4 b] ‘at } va i ‘*) a ] ad eet ie ‘a sol s Lea. 


pe eae 
NB 0 HauaDeAYl aeat c 


Be] ones onbize, a8 ad? 
iy ‘ 


r. ott 


te free ae 


aA ik to e « 
a a3 he aah 


i. 


105 


decrypted. Since the full version of DES uses a 56-bit 
initial key and works with 64-bit message blocks, it is 
apparent that the key and message in our example are exactly 
half as long as in the full version; however, the key and 
message consist of the same number of characters as in the 
Pu UERVersion. 
The bit representation’ for “DATAKEY' is’ therefore 
TOON SON OFM TMONEO WU ONS 0 COMOn 08 
and the bit representation for 'SACHARUK' is 
LOT O 199 THOOORT 1008 09G0 3810 On ORION s 
DES uses two procedures for permutation that transpose 
characters ina block of 8 characters that iS passed as a 
parameter. These are IP (Initial Permutation) and IP™' 
(Initial Permutation Inverse), defined as follows: 
x<847256 13>" 8 =) TP (x<12345678-) 


x<7482563 1> TPs 1x0 2845678>) 


u 


where 'x<12345678>' represents the initial block of 8 bytes 
to be permuted, and 'x<84725613>' and 'x<74825631>' 
represent the results of the permutations. The permutations 
above are arbitrarily defined and are not necessarily the 
permutations used in an actual implementation of DES. A 
block permuted by IP is restored to its original order when 
permuted by IP™'. 

A third permutation procedure called P-BOX shuffles 8 
half-bytes. In this example, P-BOX is passed 16 bits; it 
shuffles 8 groups of 2 bits each. We define P-BOX 


arbitrarily as: 


j 
7 
Peay 


eae 
pe ce 
REE 


yn a) itd eed Te) 7 MAS ; | 
| Nh a0. oe aka me Sioa! » ie 


oy 


ae ‘bs a ih 


; an ’ 
| a as isp es 
ecoqenais vedy. oo nha 30 eahababa 
2.6 wong saadietason del We etn me wy 
ot Ada (apatite en ee eat: 
tekettey ae Sénik 98) Coeapbad woioed 
er ee certesreton 
“Haan eopeds Mga al ate lie 
aegud! 8.20 sapie seis sea 
Magpie ceagettnn i s is fh 


: ae me 
ey i oe ivr .. ape ts 

ea i, rd er : \ ; 
i nie iowa rhe wah 


106 


X¥<56324817> := P-BOX(x<12345678>). 

DES also uses two procedures for permuted choice in 
which a group of characters is first permuted and then one 
of the characters in the result is dropped or replaced by 
the null character. We define the procedures as: 

X<4823675> := PC1(x<12345678>) 

R672 13 928s =ePG2Z Ux 12445692) 
That is, 8 characters are passed to PCl, they are shuffled, 
and the character designated as '1' is dropped, leaving 7 
characters. PC2 is passed a block of 7 characters that are 
shuffled; the byte designated as '4' is dropped leaving 6 
characters in the result. 

DES uses some tables, the e-table and s-tables, for 
non-linear substitution in which groups of bits are replaced 
by fewer, or more, bits obtained from a table. (Part of the 
reason for reducing the number of bits in a character in 
this example is to reduce the sizes of the tables, which are 
fairly large in an actual implementation.) We define the 


e=table’, arbitrarily ptingFigure A.1. 


00 


000 
01 011 
10 100 


tA 


Figure A.1 - The e-table 


Given '00' as an index into the e-table, '000' is returned. 


Thus, the e-table is actually an expansion table that 


- 7 7 , ioe iu i Piet i . a, _ ; af 


ae 


| i ‘f : bas Ve , . . j ' 

oh 7 Bath, » Ph, ie i Bis ’ ib 

. a arr ey - aah 
dy ie 


\ 


3nd. one Vb bg euler neces ‘ 2 
€ mics 8 Boe ue sat uen he a0 
‘eG aevwtnaag smth tae igi: ; 4 
“(eatansemrnd| vo fay: ; | 
| bet aepeeheansa “3 ikeen' rh | 7 
fot Yds ie wae yap (i wi boxxag nie anes ew f tant 
. ealveel , Saqqe “hs “i ap a nadgagdinet aad 
e956 sea etasves ays ts dacitd Sean at: soe 
patwowd meme * WAN * opiaaeiesi aayd ou, bed 
oF ae Naan odd nt e293 
1 aA ei “2 Ang et tit sits yates ‘3 ene eany. aan i 
jessiqe, he vba) te hiuredd doin ‘Ae Ol guah 20d nan 
eo to gre) | celina 64,0at ‘Resa! atde @did .es0m 30, 7" 
ovmata. ‘sy ay, ae eo bodaya $42) ‘gadsated: 3634 
ous cheek 20hdEa wet: ve awe ied ey hee) get ai. stacera a 
aie aria wT, se atone am bans ts ah; pies Ye 
os ah hiner, sea ) 
wl alse yas ok ia 


a ah ae 


" 
wioers 


ne : 


107 


Leplacesa 2 Dipsmaby 63) Mel neamrol) implementation, 4 bits are 
replaced by 6, making the table 4 times larger. 


We define the s-tables, arbitrarily, in Figure A.2. 


staal hetetat et abet stats 


LO ROG 
. a0 7 a OOVE On 
tO: 0.) 00 TONs Oi 
1an0 0 vs i. V1 Tha tile Ow 


14 00 
Oita Or 1.00 : Mi 00 OU aaae 00 e v 10 
TOME 1 OT EO 4 Oa SO Ae to 1.01 CaO. VO Cn 5e00 
01 ad 


Figure A.2 - The s-tables 


The s-tables are indexed with three bits by using the 
first two bits to determine the row and the third bit to 
choose the column in a table. Therefore, 2 bits replace 3. 
In a full implementation, 4 bits replace 6; therefore each 
table in a real implementation is 8 times larger than the 


ones above. 
A.2 Key Series Generation 


Before encryption is done a series of keys is generated 
from the initial key, 'DATAKEY'. Key series generation is 
done by a procedure called KS that, ina full 
implementation, generates 16 keys, each 48 bits long, from 
the initial 56-bit key. In this example only 2 keys are 


generated, each 24 bits long, from the initial 28-bit key. 


: + 4) - 


. “a p - dig? 
: wae ne Pe ae AM ee ‘ * ng iy 


: this a ey sepnoneng: ). 


is ah mo Pre al 
hh souptt ni tania " i sa rs 


SaraC aKa saan aL 


gern te wait. Ca psa cabll 
eds 20 hy, We mate eons Bashibd ‘boiaba! ets "sodas 
oo 444 diana 4, Ban dei, Set enidivdant 5 ve anid ov 


voy PR ae 
-€ Sh2) que asis's 20am sided e70] nw La ert « 


dew anodeaauty <o opatey 9: dete ) Aotanzonuaigt ut em 1T 
ad ts Nhs eon yt 2! sol seraonelon! 7 ar ‘ake 


Pas & - 
ete 4s \ ' = ® ie > » 
; 7 oy 
_ «\o) oo nebzezened epewad 

‘ 


io ) snob bh porsgyr dame r : 
af cobras my Si yumacaa yes sotdint ott i a | 


Sei on 


9 TRO 


a 


wont ont pe to: 


ind 
a 


108 


First, 'DATAKEY' in bits POUM anor 
LOO IMOIT0 AMNION Oe iHow OOo eOHOT 
is expanded from 28 bits to 32 by adding 4 Parityubitsito 
each of the first 4 bytes, obtaining 
1OOT O11 001 Ni1CC O00 1108 O1Ceeer01. 
Pnpansactualjimplementation parityebits forvealie /tbytesmace 
added, plus 1 more parity bit obtained by taking the parity 
efe thes S56e7=63nbitiresult. 
The 32-bit expanded key is now passed to PC1 which drops 
a byte (of 4 bits) yielding a 28-bit result 
11OOPOMOde0011G00N 1914 0d OA0 ORG Oo 
that we call the key seed. 
The key seed is split into two 14-bit halves and placed 
bnetworregqisters: CC, and D,. Therefore 
( 100ROn Od S008 1408 
roepleced andCopieand 
1 de. 012010 0B 7700 
isi putetntoeDgem Thehtwomuegisters are now rotated lefcewitin 
end-around carry, yielding 
100051010 “011007 
eG, sald 
1eO we Cy Uae Ob el Ome Ui 
in D,. The two registers are concatenated in a third 
register (C, and D, are saved for later use) and the result 
passeds ton PE2.eySinces2s bits are passed, 24 bits remain 
after shuffling and dropping a byte: 
T001 1001 100051010) Cie 0d0. 


ot, esi seetean ee 


: Ta dy vie 1 


a or) 
r re 7 oo a 
fat | 


/ frond eats coat BO 
vk wbiye © Lue tot abtg eetieg mbidbogmaniont area aka 
ve Fake ‘a onies A boniaado 438 igalhaag poers “ ae 

yw? oe 
fe ase hd Gj roe +384 tae 


aaeow. datdy Pt. oa. Ss neug eee al wnt bebqsans, tase ant 
Dhnieay tbe - as» ppibtiedy (eatd-s te) ane a 


oo he ogre Hleuit vit Wako 19005 OOrt iD my 
wh a Ae chee weal ana Hea” a oe 
benei? bre Sonad dade “At ate otal afin oe ene) me sat 
A issih ae oti re) glesdigen ided an 
Cor HEGG Grd ODT | pr 7 
oo ec ea 4 bra 1/64 beoaia eb 
“aa Garo. rol ; 


dtiw giek Dugas (vor “7 anede: co7 ows. oT LSipaal 
lp ieee «x78 ih . 
10 vont itor 007 


a Uy ¥ Aa 7 ; ~ 


ete drt ee ee 


prety 6 nd borane no 29 ovg.eaedel 


1 fiotg>| il Sa ‘sok ak ve 6 
arn * ay Z a a ieee ae ; 


uke ab eat 4 
| Aacen ib i wn iy 


a 
AAs es HW oh of 
on Rae ye 
as 7 us ‘wee : 4 ue 
: ; . ly ) 


\ 


109 


This result we call Key No. 1. 

The contents of C, and D, are now rotated left with 
end-around Carry one more time. The register results are 
concatenated and passed to PC2 yielding Key No. 2: 

OOP GOTTS 01005 00017 4 100 Oto 
Key No. 1 and Key No. 2 are now used to encipher the message 
block as shown in Figure A.3. We describe the process of 


encryption with reference to Figure A.3. 


A.3 Encryption 
(1) 'SACHARUK' is passed to IP yielding 'KHUAARSC'. 


(2) The bit representation of 'KHUAARSC' is split into two 


registers) ol geanager . 


(3) The value in R, 1S expanded by taking two bits at a 
time and using them to index into the e-table. The 
result after expansion is 24 bits long, which is the 


Same length as Key No..1. 


(4) Exclusive Or R, and Key No. 1, to form the intermediate 
result 0. Q should be thought of as consisting of 8 


blocks; ‘each block%3 bites long: 


(5). The 8 blocks-in Q are used to.index into the 8-s-tables 
and are each replaced by their corresponding 2-bit™ 


table entry. The result is 16 bits long. 


‘9 vee ot i ae Ver MOA fies): a 
aly ¥ Seb be 22090 is Pie! DORs Pe, 1 34 ee tne ny: eayt 
ep 


aa aye are ite i " \ omi maen x ea0.4 gh ty 385 Sau «| 


es 
ee ag fue: 


i itdy ” f A La | 
; aa Ak , 2 » : Sy ' . 
ay ey xy RIG G2 req § betutes#e 
i) Bs : a ' a 
‘ ‘ uy 
ane gah iain A) : pit meee 
7 i 
i) iy ; R i 
, 7" : we iF s otal sue 
vee ; 
; E ‘2 iio n@% 2 7c. 
r ; Ve a bale 
ca, ai. Q ia 048 


a 


ts | “4 i 

itl 7 lor Ave 4 ae. i o* ! 4 An q i 

oe | . ‘ r? hi ae ‘ ‘ee ep j A ry et 7 
’ ’ ; wil, ri 


ae 7. 
« a4 <r 
fot ries ssikitel - 
y 4 A 
. ov Aa: .. a as <= 0 cag 
wig .ab dow (eek, oie Oe) wt 0 tanag a8 499) aes 
| é } Te oak om oni Arty ake 
; ee pen mk 
h Yar b ‘bas y 


77) 


‘a, t 
i 6M. i t Brig ite/at Fh 


110 


"SACHARUK' 
¥ Le 
"KHUAARSC' 
Y 
lee) age pal one ae 9 ae ne oer wel 
We + + Ro 
1 ae 10 O10 02 0.460 OVO L0e TOTt S1000 
¥ EXPAND 
On OO tO C = VOOt tia 100 00 
keyeNo we \ 


FOGH TOO 110.00 e100 Om 1101.0 Ge 


“ Q 
TATOTPO TOO TO0 OO TMIGy OTe 10 
+ SUBSTITUTE 
OOM OCT 1a Oe ia0 
+ PBOX 
1hO1 OCT PHVOSO0mit 


¥ 
> ® 
By c= R, + R, 
TO LOT OM 6 10:00 OOCOF Met VO 100 SONes 
Y EXPAND 
OO0000 111 Ii 0 1100C 0 iso 14 
Key No. 2 ¥ 


COeCOF ii OT 0080 00 TEC OOM 0 ae ae 


Y Q 
OO 100 OOM OssteCakT iv ler Onlutnia C 
SUBSTI TUPLE 
110 Cae OO Oia tes tetOi0 
YP BOX 
Ol 140 0000s i 


R, 
1 2006.80 tO COO VEOC Tet hi Oasis 


H000 KEPINOTOOLO10 120001 SOO 110i tt Orn 
iS * 


¥ 
FOR1LOTOTOOTL DT TTR CO01T 7001190 T00RG000 
+ 
US YER ISEO: Encrypted Output 


Figure A.3. Encryption with DES 
(® = exclusive or) 


| Sea a o 
OoUbOT LL Poor. iid one es 
ee 
| Ae oe “oars 
Orr so ort Pee OOROOE, araens a 
eroTITeaes |. ewe, 
Ore Ore 900 4490 | 
ROGq.. Ve. Loe 
Wie OFT] oe port ue ; a 
" iy re | ee _ 
ay tii, ; “5 
vf i 90t yt beng bee. j ‘gour’ TOF eur 4 1, 
Ce ie ea ; ~ re i 
SR ae 1 aad 1 ees | 
ME » | 7 ’ . 
eh jeoteoe ps One anol SOB | 
a i £7 VD ay i our! ‘am 7 be 
wierrewge fa 
a me Had) ey t : é ( i 
‘rag 4 oS - 
pon rain’ teh — 
: x 
ae -Ama 
Prego bin tte ieg of op a era 7s 


x 
rte es nde 1900, wie nls. eS bie 
ove ney ieee ini mreate am 


(6) The 16 bit result is sent to P-BOX which permutes 8 


Groups “Ob Ze bite geache 


(7) The result of P-BOX is XOR'ed with L, and placed in 


Hegrster sR, . ORe tis now placed tin requseeuaL, . 


(8) The process described in steps 1 to 7 above is repeated 
with registers L, and R, replacing L, and R,, and with 


ROVENC.) cence DL acinGuekeWwaNO a. 


GQ)e Ra is placed in registersL,, IThe resulttat step 6 
above-is-placed-in- register Ry.- DB, and R; are 


concatenated. 


(10) The concatenated result at step 9 is passed to IP™' 


yielding the encrypted output 'SYBT13E0'. 


A.4 Decryption 


Decryption works in a fashion extremely similar to 
encryption, but is not precisely the same. See Figure A.4. 

Firctu= -SYBT1ISGB0 is passed=intoehP yielding “0TEYISSBi. 
The result is then split into two halves and placed into 
registers L, and R,-WEhewdecryption process now works with 
the Jere cegister, Laweanstead, of themright@negusten as ein 
encryption. A second dissimilarity between encryption and 
decryption is that Key No. 2 is used first in decryption, 
followed by Key No. 1. The final dissimilarity is that in 


encryption the register L, forms the high-order bits of the 


ty 
ar | 


ine 7 
soqje) @2 avode fT ot ¥ va ink 1 oh as. aug sok 
Ai 


- -_ A ‘ " 2 wal i 
rw She ~ DAE dk Orne ¢ sullgion v7 ; r ‘Bra! al pater, T- 
; re es ; 


it 
bidet mys re ai Wale 


, bal iD " ia! se it i A 
an ry 7 ot a : 
i ie 4 nal ) it 
en, r 


j Mat ' , @ ¥ a 7 is 
ni peos ig as i a ae “50. tus i ont 
ri : i mA : + 

obs 1438 pei 6 bi we} 2 


‘ 
\ : iy oe wr 
‘ hy iy Pan i 


# rae A te wipes” 


ee 


} ~ 
: » ’ 4) 


x “4 yeN. oF 


_ 4 oA 
2 ivsk « 49 ’ 4ors 
Thue get 54a 9 2@4 
i : iy ; 
: . yA Bae a ¢@h- 29401609 
Vite Tai 
\ 9 ie ee! | 4 . o ; 
. aN AY 4 } 7 i} 
i ‘| a 
f P i i a ee r ; 
oO; Dbetasg se 8 Gece ge ion eT GRADS 
i; ‘ 7 be aie | J a — Pte. ha 
“Quarvave’ gedue fh ay pore’ ada 
14 
’ F , i ran 
9 be j 
- ’ > ity + y’ 1 
wd vi) 7 
ya | : ‘ iy 
‘ a 
’ uf _ a a 
J ; F a 
. : Mf ! ' Tk ‘os 
£ niinia wlensaudve sages © fi Detem 
oy Ta 7 7 2 Lath 
‘pt sh pontea wiAd Ny we aNK apie ted 
1 e wet al 


ESV BR Wisk Ou 


i TP 
LOERYA3SB: 


¥ REVERSE 
SiS SBOlRYy 


| cic haan a tela caa o g aig ke megs joe | 
R2 Y ¥ L, 
OO COO Mand Ot mOtaia 0000 1111 0100 0101 
+ EXPAND 


GOGOOO MIM ier Oe OC OOM Oma 
Key No. 2 + 


OOT100 110100 000111 .000710)] > 6 


y Q 
O01 COF00T Oi sO hii Ousna 
TP eSUBSRETULE 
AOI OOR Oe inter 
+ PBOX 
Ovals lies Cs 50 O10 Clarita 


\ 
@ 
Ras] Le + iy 
OC COMa lie 0 }0080 10a OTs OR sits) Ce iO ae O08 
Y EXPAND 
Olt OO i OO TOOT Te C.O.00 
Weve N Osea y 


Oat bOp Os leO UO Ome 10) Osten tse CuO a em 


+ Q 
TIT00 0 AO OTOOR UO Ts OaiGa a 0siG 
ee UBS Eng Pe 
Oe vim OO mete Ose at aO 
+ -P BOX 
PEO Ae OO A oieaial 00 Ong 


ar ae 
i eet OO 10. OO OUT Oia Or a0 tii a.0 0.0 


Lo 


y y 
AO O01 O10 0n TOOT 105 11s 0 er Ong PO 00 


+ 
"KHUAARSC' 

Y Pie 
"SACHARUK' Decrypted Output 


Figure A.4. Decryption with DES 
(® = exclusive or) 


CHASE 4 | 
rvants enarso 1744 F¢ana00 y, . 


‘ + opoao ‘een mist 


. 

i? G17 sre hers fre'dée e6: fad : 
sTurT: Teaue i we 
bor? tie seal ror! 


i] 


O85 
ras Sono ior? i270 


i 7 en 


i | pe ae ae 
wos pgs geval etre) ||) 4 bore) ome Men ndoa ay 
ehewee + a | 
| Géqodi OR ete spi ; * 2 i 
| c -, wert Sedat aeert0 aT 4 


ve 347. OO. 409Q 
a * 4 r°% 
| is squat) 
| s eee es oe 
| rs eer ced saree gra ores 


| | ; nes re 

end? 1 ree-Gbne arya wr egir te: pnts ron 
4 : 

' 2A atte 
ae 


concatenated final result; in decryption R,, the right 


register, has the high-order (i.e., leftmost) bits of the 


result. 


After concatenation of R, and L, the result is passed to 


IP~' and the original plaintext message results. 


( : oan 
ie » 


Phy | i¢ 


i oat aye FY a at 
od Remeny WL 7 lames ests soli bap 
t 7’ ah 6 ; a) j 


‘se 


il 
ae 


a ee 


a 


_ 


i ae ee 


a rie 
i 


